WO2018157858A1 - 信息存储方法、装置及计算机可读存储介质 - Google Patents
信息存储方法、装置及计算机可读存储介质 Download PDFInfo
- Publication number
- WO2018157858A1 WO2018157858A1 PCT/CN2018/077880 CN2018077880W WO2018157858A1 WO 2018157858 A1 WO2018157858 A1 WO 2018157858A1 CN 2018077880 W CN2018077880 W CN 2018077880W WO 2018157858 A1 WO2018157858 A1 WO 2018157858A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- ciphertext
- stored
- account address
- private key
- encrypted password
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
- H04L9/16—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Definitions
- the present disclosure relates to the field of information technology, and in particular, to an information storage method, apparatus, and computer readable storage medium.
- the blockchain can be regarded as a decentralized shared database, which is composed of blocks connected in chronological order, each block storing a hash value associated with the previous block, so that the block There is an irreversible strong correlation between the blocks in the blockchain.
- the shared data related to the transaction process stored in each block is stored by cryptographic authentication, the transaction and data security are guaranteed. Based on this, the blockchain technology is gradually Applied to areas such as finance.
- the account address and the private key are used as the identity information for data sharing on the blockchain, which replaces the username and password in the traditional application.
- an account address corresponds to a certain balance
- the original transaction data is signed by using a private key
- the original transaction data includes the outgoing transaction.
- the amount and transfer to the account address, and the original transaction data and its signature are broadcast to other nodes in the data sharing system.
- the system for storing shared data by using the blockchain technology may be referred to as a data sharing system.
- the data sharing system includes multiple nodes, and each node stores all the shared data of the data sharing system, which may be regarded as backup of each other. After the specified number of nodes successfully verify the signature of the original transaction data, it is determined that the user has the right to transfer the balance in the transferred account address, and then transfers the transferred amount to the transferred account address, thereby completing the transaction. .
- the private key is very important throughout the transaction, and with the private key, it has the right to transfer the balance of the account address.
- a user can have multiple sets of account addresses and private keys.
- the account address and the private key are irregular strings.
- the user generally has the account address and the private key. Recorded in a memo, which can be an electronic document, or a paper document. If the memo is lost or stolen by others, it is easy to cause leakage of the account address and the private key, resulting in loss of the user's property. Therefore, in the data sharing system, how to ensure the security of the account address and the private key owned by the user, thereby ensuring the security of the user property is an urgent problem to be solved.
- the embodiments of the present disclosure provide an information storage method, apparatus, and computer readable storage medium, which solve the problem that the user's property is liable to be lost due to the easy leakage of the account address and the private key.
- the technical solution is as follows:
- an information storage method for use in a terminal device, the method comprising:
- an information storage method for application to a server, the method comprising:
- the user When receiving the information storage request sent by the terminal device, the user is authenticated according to the first user identifier, where the information storage request carries the first user identifier, the account address, and the ciphertext to be stored;
- the account address is stored corresponding to the first user identifier, and the plurality of ciphertext segments are respectively stored to different ciphertext databases corresponding to the account address.
- an information storage device comprising:
- a first obtaining module configured to acquire a first encrypted password and identity information to be stored, where the identity information includes an account address and a private key corresponding to the account address, where the account address is generated in a data sharing system Used in the sharing of data in blocks;
- a first encryption module configured to encrypt the private key based on the first encrypted password to obtain a ciphertext to be stored
- the first storage module is configured to store the account address, and corresponding to the account address, store the ciphertext to be stored in a fragment.
- an information storage device comprising:
- a verification module configured to perform identity verification on the user according to the first user identifier when receiving the information storage request sent by the terminal device, where the information storage request carries the first user identifier, an account address, and a ciphertext to be stored;
- a generating module configured to generate a server serialization factor according to preset configuration information if the authentication succeeds
- a first acquiring module configured to acquire, according to the server serialization factor and the ciphertext to be stored, a plurality of ciphertext segments of the ciphertext to be stored;
- a storage module configured to store the account address corresponding to the first user identifier, and store the plurality of ciphertext segments to different ciphertext databases corresponding to the account address.
- an information storage apparatus comprising: one or more processors, a memory for storing at least one instruction, the at least one instruction being loaded by the processor and performing the following operations:
- an information storage apparatus comprising: one or more processors, a memory for storing at least one instruction, the at least one instruction being loaded by the processor and performing the following operations:
- the user When receiving the information storage request sent by the terminal device, the user is authenticated according to the first user identifier, where the information storage request carries the first user identifier, the account address, and the ciphertext to be stored;
- the account address is stored corresponding to the first user identifier, and the plurality of ciphertext segments are respectively stored to different ciphertext databases corresponding to the account address.
- a storage medium in which at least one instruction is stored, the at least one instruction being loaded and executed by a processor to implement the above-described information storage method applied to a terminal device.
- a storage medium in which at least one instruction is stored, the at least one instruction being loaded and executed by a processor to implement an information storage method applied to a server as described above.
- the terminal device encrypts the private key by using an encrypted password, so that other users cannot decrypt the ciphertext to obtain the private key without knowing the encrypted password, and after the encryption, the embodiment of the present disclosure also shards the ciphertext to be stored. Storage, so that after the ciphertext to be stored is stolen by other users, even if other users steal the encrypted password of the user, the ciphertext to be stored cannot be restored, and the identity information used for identifying the shared data in the data sharing system is improved. Security.
- FIG. 1A is a schematic diagram of a system of a data sharing system according to an embodiment of the present disclosure
- 1B is a system architecture diagram for performing information storage according to an embodiment of the present disclosure
- 1C is a system architecture diagram for performing information storage according to an embodiment of the present disclosure
- FIG. 2A is a flowchart of an information storage method according to an embodiment of the present disclosure
- 2B is a data flow diagram of information storage provided by an embodiment of the present disclosure.
- 2C is a flowchart of ciphertext acquisition according to an embodiment of the present disclosure
- 2D is a flowchart of an encryption password modification provided by an embodiment of the present disclosure.
- 2E is a schematic diagram of a principle of fragment storage according to an embodiment of the present disclosure.
- 2F is a schematic diagram of a principle of fragment storage according to an embodiment of the present disclosure.
- FIG. 3 is a block diagram of an information storage apparatus according to an embodiment of the present disclosure.
- FIG. 4 is a block diagram of an information storage apparatus according to an embodiment of the present disclosure.
- FIG. 5 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 6 is a block diagram of an information storage apparatus according to an embodiment of the present disclosure.
- the data sharing system 100 includes a plurality of nodes 101, each of which is a computer in the data sharing system 100.
- the device which can be regarded as a client, can also be regarded as a server, and the node 101 is used to store all shared data in the data sharing system 100.
- the data sharing system 100 uses blockchain technology for data sharing and is a decentralized system. That is, there is no central node in the data sharing system 100, and each node 101 has an equal status in the data sharing system 100. Each node 101 stores the same blockchain.
- the blockchain includes a plurality of blocks, each of which stores different data, and the data stored in all the blocks on the blockchain constitutes all the shared data of the data sharing system 100. Since each node 101 stores all the shared data of the data sharing system 100, as long as there is a node 101 that works normally in the data sharing system 100, the entire system can operate normally.
- the blockchain-based data sharing system 100 uses the account address and the private key as the identity information of the data sharing.
- Data sharing is the exchange of data between different account addresses, and shared data is generated during the data exchange process, and the shared data is stored in the blocks of the respective nodes 101 in the data sharing system 100.
- the shared data generated by one data exchange is stored in the block after determining that the data exchange is successful.
- the data sharing system 100 can be a transaction system, such as a financial transaction system.
- the data sharing system 100 is a transaction system
- the data exchanged between different account addresses is the transfer amount corresponding to the account address.
- the shared data stored by each node 101 is the book data of the transaction.
- the original transaction data needs to be signed by using the private key corresponding to the account address A, and the original transaction data includes the transfer amount and the transfer account address.
- the original transaction data and its signature are then broadcast to other nodes in the data sharing system 100.
- the other node checks the signature according to the public key. When the specified number of nodes verify the signature in the shared data, the user has the right to transfer the balance in the transferred account address, and then transfers the transfer amount to Transfer to the account address to complete the transaction.
- the process of verifying the signature is a zero-knowledge proof process.
- the prover proves to the verifier and believes that he knows or owns the transfer right of an account address, but in the process of certification.
- Information about the certified message cannot be revealed to the verifier. That is, the outgoing party does not send the private key information to the check node, but uses the private key signature and the public key to cause other nodes to verify the identity.
- Any one of the nodes 101 in the data sharing system 100 can transmit information to other nodes through a locally stored node identification list.
- the node identifier of the node 101 may be an IP (Internet Protocol) protocol or any other information that can identify the node. This embodiment does not limit this.
- a user may have multiple sets of account addresses and private keys.
- a public key may be obtained from a private key by a certain algorithm, and an account address corresponding to the private key may be obtained by the public key. Therefore, as the authentication information in the data sharing system 100, the private key is very important, and the loss of the private key directly leads to the loss of the user's property. Therefore, in order to ensure the security of the account address and the private key that the user has in the data sharing system 100, the present embodiment provides an information storage method. For the specific process, refer to the embodiment provided in FIG. 2A.
- FIG. 1B and FIG. 1C are diagrams of a system architecture for information storage provided by the embodiment, which can securely store an account address and a private key in a data sharing system.
- Figure 1B and Figure 1C illustrate the system architecture for information storage from the logical level and device deployment level, respectively.
- the network types involved in the system may include a public network, an extra-domain network, and an intra-domain network according to different access security policies.
- the public network includes the user's terminal devices 110, and the terminal devices 110 can access the Internet arbitrarily, and can also access each other.
- the extra-domain network serves as a bridge between the intranet device and the public network device, and a gateway device 116 for connecting the intra-domain and the public network is disposed inside.
- the gateway device 116 can be divided into multiple gateway device groups, and different gateway device groups are all connected to the load balancing device 118.
- the load balancing device 118 is configured to offload the information storage related request of the terminal device 110 according to the system load, and then the different gateway device groups respectively forward the request to different servers for processing.
- At least one server 112 for providing an information storage service and at least one storage node for storing information are provided in the intranet, each storage node including a ciphertext database 114.
- the different information storage services may be provided by different servers, or may be provided by different storage nodes in a server, which is not limited in this embodiment. Different information storage services may correspond to different storage nodes, and each information storage service is used to store information in a ciphertext database of a corresponding storage node.
- FIG. 1B only the information storage service is used to represent the system logical architecture, wherein the information storage service and the ciphertext database use the configured database access interface for data storage.
- the server deployment mode is illustrated in FIG. 1C, where different gateway device groups correspond to different servers, and each server corresponds to multiple storage nodes.
- This type of deployment is called multipoint deployment.
- the data to be stored is sliced and stored by using a serialization factor. For example, the data to be stored is divided into multiple data segments, and the serialization factors are serialized for multiple data segments, and then stored separately.
- Storage node For a complete data, after the fragment storage, the ciphertext database of different storage nodes stores the data segments of the data, and when all the storage nodes corresponding to one server are successfully stored, the data storage is determined to be successful.
- the server can restore a complete piece of data based on a portion of the data stored in the database.
- a ciphertext database is faulty, the contents stored in the fault ciphertext database can be restored through other ciphertext databases, thereby realizing data synchronization of the ciphertext database when the device fails.
- the terminal device 110 and the server 112 perform data interaction through a preset information storage interface, and the logical functions of the information storage interface are implemented on the terminal device 110 and the server 112.
- the data transmission between the terminal device 110 and the gateway device 116 and between the gateway device 116 and the server 112 is performed by using an encrypted transmission mode to ensure data transmission security.
- the gateway device 116 and the server 112 need to perform identity verification between each other.
- the gateway device 116 may pre-configure a server identifier capable of data interaction, such as an IP address of the server, etc., when the gateway device 116
- the server 112 may also configure the gateway identifier of the gateway device 116 capable of data interaction.
- the server 112 determines that the received data is from the gateway device 116 capable of data interaction, the data is received, otherwise the data is not received.
- FIG. 2A is a flowchart of an information storage method according to an embodiment of the present disclosure.
- a method flow provided by an embodiment of the present disclosure includes:
- the terminal device acquires a first encrypted password and identity identifier information to be stored, where the identity identifier information includes an account address and a private key corresponding to the account address, where the account address is a shared data stored in the block in the data sharing system. Used at the time.
- the terminal device can install an application that provides an information storage function, and the user can store information through the application, for example, storing multiple account addresses and a private key corresponding to each account address.
- the first encrypted password used to encrypt the private key needs to be set.
- the application may be a non-system application on the terminal device or a system application on the terminal device, which is not limited in this embodiment.
- the storage function can also be one of a plurality of functions in an application, for example, the storage function is an account information storage function provided by a transaction-related application.
- the terminal device displays an input interface of the identity information, where the user can input the first encrypted password and the account address to be stored and its corresponding private key in the input interface of the identity information.
- the terminal device obtains the identity information that needs to be stored.
- the server in order to ensure the security of the first encrypted password of the user, the server does not store the first encrypted password of the user in any form, and the terminal device does not perform the interaction of the first encrypted password with the server. .
- the terminal device does not store the plaintext of the first encrypted password, and the user can encrypt the first encrypted password and store it in the local device by using the set secret question and answer, so that when the user forgets the first encrypted password, The first encrypted password can be retrieved through a pre-set secret question.
- the security problem setting function is set by the security policy setting function provided by the terminal device, and the process may be: the terminal device According to the user's secret security setting operation, at least one set of security questions and answers are obtained; the terminal device encrypts the first encrypted password according to at least one set of security questions and answers, and obtains the password ciphertext; the terminal device stores the password ciphertext So that the user can retrieve the first encrypted password based on at least one set of secret questions and answers.
- the terminal device may be configured with at least one security policy in advance, and the user sets a corresponding answer according to the at least one security policy.
- the security policy may be manually set by the user, which is not limited in this embodiment.
- a combination of one or more of the at least one set of security questions and answers, and a preset encryption algorithm may be used to set the user.
- the first encrypted password is encrypted.
- the preset encryption algorithm may be a symmetric or asymmetric encryption algorithm, which is not limited in this embodiment.
- the first point to be explained is that, in order to ensure the security of the first encrypted password, the terminal device deletes the cached information of the first encrypted password after encrypting and storing the first encrypted password by using at least one set of security questions and answers. And deleting the cache information of the secret question and the answer, so that the terminal device does not store any plaintext information of the encrypted password, the secret question and the answer, thereby realizing that other users do not know the answer to the secret question even after the user device is stolen. Under the same time, the user's first encrypted password cannot be obtained.
- the second point to be described is that when the user has multiple sets of account addresses and private keys, the terminal device can store multiple sets of account addresses and private keys at one time, or can store one set of account addresses and private keys at a time. This is not limited.
- the terminal device encrypts the private key based on the first encrypted password, and obtains the ciphertext to be stored.
- the terminal device encrypts the private key based on the first encrypted password, and the process of obtaining the ciphertext to be stored may be: encrypting the private key according to the first encrypted password and the first preset encryption algorithm to obtain a private key ciphertext; Acquiring the signature information of the private key according to the second preset encryption algorithm; using the signature information of the private key ciphertext and the private key as the ciphertext to be stored.
- the first preset encryption algorithm may be a symmetric or asymmetric encryption algorithm such as a 3DS (Triple Data Encryption Algorithm), an AES (Advanced Encryption Standard), or an RSA Algorithm (RSA Algorithm).
- the terminal device may preset one or more encryption algorithms, and the user may select one of the encryption algorithms to perform encryption according to requirements. It should be noted that since the account address can be derived from the private key according to a certain algorithm, the terminal device does not have to encrypt the account address.
- the second preset encryption algorithm may be a hash algorithm such as HMAC-SHA256, and the second preset encryption algorithm is used to sign and verify the private key. After obtaining the signature information of the private key ciphertext and the private key, the signature information of the private key may be placed after the private key ciphertext, thereby obtaining the ciphertext to be stored.
- the terminal device sends an information storage request to the server, where the information storage request carries the first user identifier, the account address, and the ciphertext to be stored.
- the terminal device can establish a secure connection with the server, for example, to establish a connection based on HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) or TLS (Transport Layer Security) to ensure The security of data transmission.
- HTTPS Hyper Text Transfer Protocol over Secure Socket Layer
- TLS Transport Layer Security
- the first user identifier may be an authorization information for authorizing a third-party account to log in when the storage function of the terminal device is used, and the third-party account may be an application account with better security performance, and the application account may be an instant messaging application account.
- the e-commerce application and the like are not limited in this embodiment.
- the third-party account server can generate an authorization serial number according to the third-party account, and the authorization serial number is the authorization information of the third-party account. And the authorization serial number can uniquely identify the third party account.
- the third party account server sends the authorization serial number to the terminal device, so that the server providing the information storage service can verify the correctness of the first user identifier through the third party account server according to the received first user identifier.
- the account address corresponding to the first user identifier may be multiple.
- the terminal device needs to verify the first encrypted password input by the user before sending the information storage request to the server, and if it passes the verification, it is determined.
- the first encrypted password is the encrypted password set by the user, and then the step 203 is performed.
- the process of the verification may be performed after the step 201 and before the step 202, which is not limited in this embodiment.
- the first encrypted password can be verified by using the following two password verification methods:
- the terminal device performs password verification by requesting the encrypted ciphertext from the server.
- the password verification process of the method may be: the terminal device sends a password verification request to the server, where the password verification request carries the first user identifier; and the server receives at least the first user identifier corresponding to the first user identifier according to the received first user identifier.
- the terminal device decrypts the received ciphertext by using the first encrypted password input by the user, and if the decryption is successful, determining that the first encrypted password is the encryption set by the user.
- the password otherwise, determining that the first encrypted password is not an encrypted password set by the user, and denying the terminal device to store information to the server.
- the server may perform a password verification based on the ciphertext, and may return a ciphertext fragment to the terminal device according to the first user identifier, and the terminal device is based on the The ciphertext segment is subjected to password verification, which is not limited in this embodiment.
- the second type of password verification method the terminal device performs password verification through the secret question and the answer.
- the password verification process of the mode is: the terminal device can display a password verification interface, and the password verification interface displays at least one security question, and the user needs to input a corresponding answer to the at least one security question, and the terminal device according to at least one security
- the problem and the answer input by the user decrypt the stored password ciphertext. If the decryption is successful, it is determined that the obtained first encrypted password is an encrypted password set by the user, and the first encrypted password corresponds to the first user identifier, and the execution continues.
- the second password authentication mode may be applied when the terminal device uploads the account address and the ciphertext corresponding to the first user identifier to the server for the first time, that is, the server has not yet stored the first password.
- the account address and cipher text corresponding to the user ID may be applied when the terminal device uploads the account address and the ciphertext corresponding to the first user identifier to the server for the first time, that is, the server has not yet stored the first password.
- the process of the terminal device determining that the server end does not store the account address and the ciphertext corresponding to the first user identifier may be: the terminal device sends a password verification request to the server, where the password verification request carries the first user identifier; The first user identifier determines that the account address and the ciphertext corresponding to the first user identifier are not stored, and returns an unstored message to the terminal device; after receiving the unstored message, the terminal device performs the second password verification. the process of.
- the server when receiving the information storage request sent by the terminal device, performs identity verification on the user according to the first user identifier carried in the information storage request.
- the server that provides the information storage service is simply referred to as a server, and the server corresponding to the third-party account involved is referred to as a third-party account server.
- the process of authenticating the user according to the first user identifier may be: the server sends an identity verification request to the third party account server according to the first user identifier information, and if the third user account server records the first user identifier, If the third account server confirms that the user corresponding to the first user identifier authorizes the third party account to log in when using the storage function of the terminal device, the third party account server returns a verification success message, otherwise returns a verification failure message.
- the server After the server receives the verification success message of the third-party server, it determines that the user's identity verification is successful; when the server receives the verification failure message of the third-party server, determines that the user's identity verification fails, and sends the verification failure message to the terminal device. To terminate the information storage process of the terminal device this time.
- the server may further perform the fragment storage of the obtained ciphertext to be stored, and the process includes the following steps 205 to 207.
- the server If the authentication succeeds, the server generates a server serialization factor according to the preset configuration information.
- the server may be configured with multiple storage nodes, and the different storage nodes may be deployed on different computer devices, or may be deployed on the same computer device.
- the corresponding server in this embodiment may include a computer device. It is also possible to include a plurality of computer devices.
- the server may set configuration information for each storage node in advance so that each storage node has preset configuration information.
- the preset configuration information may include information that can be configured, such as a node identifier of the storage node, storage capability information, and the like.
- the server may generate a server serialization factor corresponding to each storage node according to preset configuration information of each storage node.
- the storage nodes with different configuration information are different, and the corresponding server serialization factors are also different.
- the server serialization factor indicated by the step 205 can be regarded as a general term for the serialization factors corresponding to different storage nodes.
- Each of the storage nodes may be regarded as a ciphertext database, and the preset configuration information corresponding to each storage node may be the same or different, which is not limited in this embodiment.
- the server obtains multiple ciphertext fragments of the ciphertext to be stored according to the server serialization factor and the ciphertext to be stored.
- the server may divide the ciphertext to be stored into multiple data segments according to a preset sharding algorithm; afterwards, the server respectively determines the ciphertext to be stored according to the server serialization factors corresponding to the multiple storage nodes.
- the plurality of data segments are serialized to obtain a plurality of ciphertext segments of the ciphertext to be stored.
- serialization of a data segment means that a predetermined serialization algorithm and a server serialization are used to randomly combine the characters included in the data segment with some random characters to obtain a corresponding ciphertext segment.
- the data included in the plurality of data segments is a subset of the data included in the ciphertext to be stored, and different data segments may include the same data, and different data segments are not identical, so that the server is based on the multiple A portion of the data segment in the data segment can be restored to obtain the ciphertext to be stored.
- the number of the multiple data segments may be set or modified by the server according to actual storage requirements. For example, when it is desired to perform data restoration through two storage nodes in an actual application, the number of the multiple data segments is at least 3. Correspondingly, the server needs to deploy 3 storage nodes.
- the ciphertext to be stored is fragmented and stored, and serialized encryption storage is further performed in each ciphertext fragment. Improve the security of information storage.
- the server stores the account address corresponding to the first user identifier, and stores the plurality of ciphertext segments into different ciphertext databases corresponding to the account address.
- the server stores the user identifier and the account address correspondingly, and can record the storage location of each ciphertext segment, so as to associate the account address with the storage location of each ciphertext segment, so that the user identifier and The account address can uniquely identify a ciphertext, that is, the user ID and the account address are used as an index of the ciphertext.
- the storing the plurality of ciphertext segments to different ciphertext databases separately means storing the plurality of ciphertext segments to different storage nodes, and after each storage node determines that the storage is successful, the server determines the plurality of ciphertext segments. The ciphertext fragments are successfully stored. At this time, the server can return a message indicating that the storage is successful to the terminal device.
- the foregoing steps 203 to 207 are storage account addresses, and corresponding to the account address, the process of storing the ciphertext to be stored in a fragment, in which the terminal device sends the first user identifier, the account address to be stored, and the ciphertext to be stored to the server.
- the server stores the account address corresponding to the first user identifier, and stores the ciphertext to be stored in the corresponding account address fragment.
- the ciphertext to be stored is fragmented, and the divided plurality of data segments are serialized and stored in different ciphertext databases, so that even if the ciphertext database information is stolen by other users, other users cannot restore the complete illegitimate data.
- the ciphertext is less likely to obtain the private key corresponding to the ciphertext, which improves the security of information storage.
- FIG. 2B shows a data flow diagram corresponding to the process, wherein serialization refers to serializing the ciphertext by using a server serialization factor.
- the terminal device may further store the account address and the ciphertext to be stored locally, so that the information is stored based on the terminal device, so that the stored information is isolated from the network, and other users cannot steal the terminal device locally through the network.
- the stored information improves the security of information storage.
- the process may further include the following steps a1 to a3:
- Step a1 The terminal device generates a client serialization factor according to the device identification information of the local terminal.
- the terminal device may perform the step a1 after the user selects to store the account address and the ciphertext to be stored locally; of course, the terminal device may perform the step a1 by default after obtaining the account address and the ciphertext to be stored.
- the account address and the ciphertext to be stored are stored locally.
- the process of storing the account address and the ciphertext to be stored to the local storage and the storage to the server may be performed at the same time, or may be performed separately, which is not limited in this embodiment.
- Step a2 The terminal device acquires multiple ciphertext segments of the ciphertext to be stored according to the client serialization factor and the ciphertext to be stored.
- the terminal device may divide the ciphertext to be stored into a plurality of data segments according to a preset sharding algorithm; the terminal device serializes the plurality of data segments according to the client serialization factor to obtain the ciphertext to be stored. Multiple ciphertext fragments.
- Step a3 Store multiple ciphertext segments into different local ciphertext databases, and establish a correspondence between the account address and multiple ciphertext segments.
- the terminal device can record the storage location of each ciphertext segment, and associate the account address with the storage location of each ciphertext segment.
- the different ciphertext segments may be stored in different disk partitions of the terminal device, or stored in different locations on the same disk partition, so that the stored multiple ciphertext segments are unordered, thereby encrypting the first encrypted password. On the basis of further guarantee the security of information storage.
- the terminal device when the terminal device stores the account address and the ciphertext to be stored, the user can specify a corresponding storage directory and file name. Because the device identification information of different terminal devices is different, the client serialization factors corresponding to different terminal devices are usually different. Therefore, even if the information stored by one terminal device is stolen by other users, other users cannot use other terminal devices to obtain the information. Specific content. Moreover, the terminal serialization factor is not stored locally by the terminal device, and the client serialization factor is intermediate generated data in a plurality of ciphertext processes in which the terminal device acquires the ciphertext to be stored, and obtains multiple ciphertexts even in the foregoing manner. The client serialization factor is cached in the process of the fragment.
- the terminal device After acquiring the ciphertext fragments of the ciphertext to be stored, the terminal device also clears the cached client serialization factor to ensure that other users do not obtain the ciphertext segment.
- the client serializes the factors to ensure the security of the local information store.
- the terminal device may perform password verification in the same manner as the above two password authentication methods.
- the difference between the two methods is that the terminal device obtains a ciphertext arbitrarily from the local ciphertext database.
- the terminal device performs the process of the second password authentication mode after determining that the local storage account address and the corresponding ciphertext are not determined, and the same is not described herein.
- the terminal device can obtain the data exchange required from the ciphertext database.
- the ciphertext corresponding to the account address and after decrypting the ciphertext, obtain the private key corresponding to the account address, so that the terminal device can use the private key to sign the exchange data for subsequent data exchange process.
- the process of obtaining the ciphertext corresponding to the account address by the terminal device may include the following steps b1 to b5.
- FIG. 2C shows a process of the terminal device acquiring the ciphertext from the server.
- Step b1 When detecting the information obtaining operation, the terminal device acquires the second encrypted password and the target account address input by the user.
- Step b2 After verifying that the second encrypted password is consistent with the encrypted password set by the user, the terminal device acquires the ciphertext corresponding to the target account address.
- the terminal device can obtain the ciphertext corresponding to the target account address in the following two ways:
- the terminal device obtains the ciphertext corresponding to the target account address from the local ciphertext database.
- the terminal device may obtain the ciphertext corresponding to the target account address from the ciphertext database according to the target account address. It should be noted that some account addresses and cipher texts may not be stored in the terminal device, but stored in the server. Therefore, the terminal device may not have a secret corresponding to the target account address in the query local ciphertext database. In the text, the ciphertext corresponding to the target account address is obtained from the server in the second manner described below.
- the terminal device obtains the ciphertext corresponding to the target account address from the server.
- the process of the terminal device acquiring the ciphertext corresponding to the target account address may be: the terminal device sends a ciphertext acquisition request to the server, where the ciphertext acquisition request includes the target account address; when the server receives the ciphertext Obtaining at least two ciphertext segments corresponding to the target account address according to the target account address; the server deserializing the at least two ciphertext segments according to the server serialization factor to obtain a target account address Ciphertext and send the ciphertext to the terminal device.
- the ciphertext acquisition request may further carry the user identifier, so that the server can perform the query in the account address and the ciphertext range corresponding to the user identifier. It should be noted that, when receiving the ciphertext acquisition request, the server may use the user identifier to perform identity verification, and then perform the step of acquiring at least two ciphertext fragments corresponding to the target account address after the identity verification succeeds, otherwise returning the identity verification. The failure message terminates the process of obtaining the ciphertext.
- the process of the identity verification is the same as the process of the identity verification in step 204, and details are not described herein again.
- the server may deserialize the at least two ciphertext segments according to the server serialization factor, and the process of obtaining the ciphertext corresponding to the target account address may be: storing the plurality of ciphertext segments corresponding to the target address by the server. Positioning, acquiring at least two ciphertext segments from at least two storage nodes included in the plurality of storage nodes; and generating, for each storage node of the at least two storage nodes, the storage node according to configuration information of the storage node
- the server serialization factor and deserializes the ciphertext fragment corresponding to the storage node according to the server serialization factor. After deserializing the at least two ciphertext segments, a ciphertext corresponding to the target account is obtained.
- Step b3 The terminal device decrypts the private key ciphertext included in the ciphertext according to the second encrypted password and the first preset encryption algorithm to obtain decryption information.
- Step b4 The terminal device acquires signature information of the decrypted information according to the second preset encryption algorithm.
- Step b5 If the signature information of the decrypted information is the same as the signature information included in the ciphertext, the terminal device determines that the decrypted information is a private key corresponding to the target account address.
- the user may also modify the encrypted password.
- the process may include the following steps c1 to c7, in order to explain the process more clearly.
- FIG. 2D shows a flow of the terminal device interacting with the server to modify the password.
- Step c1 When the terminal device detects the modification operation of the encrypted password, the original encrypted password and the newly encrypted password input by the user are obtained.
- Step c2 If the original encrypted password is consistent with the encrypted password set by the user, the terminal device acquires at least one ciphertext encrypted by using the original encrypted password.
- the terminal device can verify that the original encrypted password is consistent with the password set by the user, and the verification process is the same as the above two password authentication methods, and details are not described herein.
- the terminal device can obtain at least one ciphertext encrypted by using the original encrypted password in the following two manners, where the at least one ciphertext is all ciphertexts encrypted by using the original encrypted password.
- the terminal device acquires the at least one ciphertext from the server.
- the process of the terminal device acquiring the at least one ciphertext may be: the terminal device sends a password modification request to the server, where the password modification request carries the user identifier; when the server receives the password modification request sent by the terminal device, Acquiring at least one ciphertext corresponding to the second user identifier according to the second user identifier carried in the password modification request, where the at least one ciphertext corresponding to the second user identifier is at least one secret encrypted by using the original encrypted password Afterwards, the server sends the at least one ciphertext to the terminal device.
- the ciphertext segments corresponding to each account address are deserialized to obtain the ciphertext corresponding to each account address.
- the process of deserialization and the process of obtaining the ciphertext corresponding to the target account address by the terminal device from the server in step b2, the process of deserializing the ciphertext segment by the server is the same, and is not described herein.
- the server may use the second user identifier to authenticate the user, and after the identity verification succeeds, perform the step of acquiring at least one ciphertext corresponding to the second user identifier. Otherwise, an authentication failure message is returned, and the process of modifying the encrypted password is terminated.
- the process of the user identity verification is the same as the process of the identity verification in step 204, and details are not described herein again.
- the terminal device obtains the at least one ciphertext locally.
- the terminal device may obtain the stored at least one account address and its corresponding at least one ciphertext from the local ciphertext database.
- the terminal device generates a client serialization factor according to the local device identification information, and uses the client serialization factor to perform reverse sequence on the multiple ciphertext segments corresponding to the account address.
- the ciphertext corresponding to the account address is obtained.
- Step c5 The terminal device decrypts each ciphertext in the at least one ciphertext by using the original encryption password to obtain at least one private key corresponding to the at least one ciphertext.
- the decryption process of the terminal device is the same as the above steps b3 to b5, and details are not described herein again.
- Step c6 The terminal device re-encrypts each of the at least one private key by using the new encrypted password to obtain at least one new ciphertext, and stores the at least one new secret according to the at least one account address corresponding to the at least one ciphertext. Text.
- the encryption process of the terminal device is the same as that of step 202, and details are not described herein.
- the at least one new ciphertext may be stored in the following two manners.
- the terminal device sends the at least one new ciphertext to the server for storage by the server.
- the server may update the at least one ciphertext corresponding to the second user identifier to the at least one new ciphertext according to the second user identifier.
- the at least one ciphertext sent by the server to the terminal device may have a certain order, and the sequence is used to identify the order of the at least one account address corresponding to the at least one ciphertext.
- the terminal device may also return at least one new ciphertext corresponding to the at least one ciphertext in the same order, so that the server may perform the fragment storage of the at least one new ciphertext according to the order corresponding to the at least one account address.
- the terminal device stores the at least one new ciphertext locally.
- the at least one ciphertext obtained by the terminal device may have a certain order, and the sequence is used to identify an order of at least one account address corresponding to the at least one ciphertext. Based on the sequence, the terminal device can perform the fragment storage of the at least one new ciphertext corresponding to the at least one account address, and the process of the fragment storage is the same as the steps a1 to a3, and details are not described herein again.
- the terminal device further provides a log query function for information storage.
- the terminal device may record a log of the user using the information storage function, such as an information storage log, an information read log, an information deletion log, and a password modification log. Wait.
- the recorded log includes the IP address of the terminal device and the user behavior information, and the user behavior information may be related information such as information storage, information reading, information deletion, and password modification.
- FIG. 2E shows a schematic diagram of serializing and deserializing ciphertext using a serialization factor, which may be a server.
- the serialization factor can also be a client serialization factor.
- the ciphertext includes multiple characters, and each square in Figure 2E represents one character.
- the ciphertext A is stored as three ciphertext segments, which are ciphertext segment A, ciphertext segment B, and ciphertext segment C.
- the slash-filled squares in the ciphertext segment are the redundancy filled in the serialization process. character.
- FIG. 2F is a schematic diagram of the server or the terminal device storing the ciphertext fragments corresponding to the ciphertext in different ciphertext databases, wherein the ciphertext segment A is stored in the ciphertext database A and the ciphertext fragments are stored in FIG. 2F.
- B is stored to the ciphertext database B.
- the ciphertext fragment C is stored in the ciphertext database C as an example. Of course, after storage, the corresponding ciphertext fragment can also be read from the ciphertext database.
- the terminal device encrypts the private key by using an encrypted password, so that other users cannot decrypt the ciphertext to obtain the private key without knowing the encrypted password, and after the encryption, the embodiment of the present disclosure is still to be
- the stored ciphertext is fragmented and stored, so that after the ciphertext to be stored is stolen by other users, even if other users steal the encrypted password of the user, the ciphertext to be stored cannot be restored, which improves the sharing for the data sharing system.
- the security of the identity information that the data identifies.
- FIG. 3 is a block diagram of an information storage apparatus according to an embodiment of the present disclosure.
- the apparatus includes a first acquisition module 301, a first encryption module 302, and a first storage module 303.
- the first obtaining module 301 is connected to the first encryption module 302, and is configured to obtain a first encrypted password and identity identification information to be stored, where the identity identifier information includes an account address and a private key corresponding to the account address, where the account address is
- the first encryption module 302 is connected to the first storage module 303, and is configured to encrypt the private key based on the first encrypted password to obtain a confidentiality to be stored.
- the first storage module 303 is configured to store the account address, and corresponding to the account address, store the ciphertext to be stored in a fragment.
- the first storage module is configured to send an information storage request to the server, where the information storage request carries the first user identifier, the account address, and the ciphertext to be stored, and the server corresponds to the first The user identifier and the account address, and the ciphertext to be stored is stored in a fragment.
- the first storage module is configured to generate a client serialization factor according to the device identification information of the local terminal device, and perform fragmentation according to the client serialization factor and the ciphertext to be stored, and obtain the And storing a plurality of ciphertext segments of the ciphertext; storing the plurality of ciphertext segments in different local ciphertext databases, and establishing a correspondence between the account address and the plurality of ciphertext segments.
- the first encryption module is configured to encrypt the private key according to the first encrypted password and the first preset encryption algorithm to obtain a private key ciphertext; according to the second preset encryption algorithm, Obtaining signature information of the private key; using the private key ciphertext and the signature information of the private key as the ciphertext to be stored.
- the device further includes:
- a second acquiring module configured to acquire a second encrypted password and a target account address input by the user when the information obtaining operation is detected
- a third obtaining module configured to acquire a ciphertext corresponding to the target account address if the second encrypted password is consistent with the encrypted password set by the user;
- a first decryption module configured to decrypt the private key ciphertext included in the ciphertext according to the second encrypted password and the first preset encryption algorithm, to obtain decryption information
- a fourth acquiring module configured to acquire signature information of the decrypted information according to the second preset encryption algorithm
- a determining module configured to determine that the decrypted information is a private key corresponding to the target account address, if the signature information of the decrypted information is the same as the signature information included in the ciphertext.
- the device further includes:
- a fifth obtaining module configured to set an operation according to a user's secret question, and obtain at least one set of security questions and answers;
- a second encryption module configured to encrypt the first encrypted password according to the at least one set of security questions and answers, to obtain a password ciphertext
- a second storage module configured to store the password ciphertext, so that the user can retrieve the first encrypted password according to the at least one set of security questions and answers.
- the device further includes:
- a sixth obtaining module configured to acquire an original encrypted password and a new encrypted password input by the user when the modification operation of the encrypted password is detected
- a seventh obtaining module configured to acquire at least one ciphertext encrypted by using the original encrypted password if the original encrypted password is consistent with the encrypted password set by the user;
- a second decryption module configured to decrypt each ciphertext in the at least one ciphertext by using the original encryption password, to obtain at least one private key corresponding to the at least one ciphertext
- the first encryption module is further configured to re-encrypt each private key of the at least one private key by using the new encryption password to obtain at least one new ciphertext corresponding to the at least one private key;
- a sending module configured to send the at least one new ciphertext to the server, where the server replaces the at least one ciphertext corresponding to the first user identifier with the at least one new ciphertext.
- the device provided by the embodiment of the present disclosure encrypts the private key by using an encrypted password, so that other users cannot decrypt the ciphertext to obtain the private key without knowing the encrypted password, and after the encryption, the embodiment of the present disclosure is still to be stored.
- the ciphertext is fragmented and stored, so that after the ciphertext to be stored is stolen by other users, even if other users steal the encrypted password of the user, the ciphertext to be stored cannot be restored, and the shared data used in the data sharing system is improved. The security of the identified identity information.
- FIG. 4 is a block diagram of an information storage apparatus according to an embodiment of the present disclosure.
- the apparatus includes a verification module 401, a generation module 402, a first acquisition module 403, and a storage module 404.
- the verification module 401 is connected to the generating module 402, and configured to perform identity verification on the user according to the first user identifier when receiving the information storage request sent by the terminal device, where the information storage request carries the first user identifier, the account address, and The ciphertext is to be stored;
- the generating module 402 is connected to the first obtaining module 403, and is configured to generate a server serialization factor according to the preset configuration information if the identity verification succeeds;
- the first obtaining module 403 is connected to the storage module 404, and configured to: Obtaining, according to the server serialization factor and the ciphertext to be stored, a plurality of ciphertext segments of the ciphertext to be stored;
- the storage module 404 configured to store the account address corresponding to the first user identifier, corresponding to the account address Multiple ciphertext fragments are stored in different ciphertext databases.
- the device further includes:
- a second obtaining module configured to: when receiving the ciphertext obtaining request sent by the terminal device, acquire a plurality of ciphertext segments corresponding to the target account address according to the target account address, where the ciphertext obtaining request carries the target account address;
- a deserialization module configured to deserialize the plurality of ciphertext segments according to the server serialization factor, to obtain a ciphertext corresponding to the target account address;
- the sending module is configured to send the ciphertext to the terminal device, and the terminal device decrypts the ciphertext according to the second encrypted password input by the user, to obtain the private key corresponding to the ciphertext.
- the device further includes:
- the third obtaining module is configured to: when receiving the password modification request sent by the terminal device, obtain at least one ciphertext corresponding to the second user identifier according to the second user identifier carried in the password modification request;
- the sending module is further configured to send the at least one ciphertext to the terminal device, where the terminal device decrypts the at least one ciphertext according to the original encrypted password input by the user, and decrypts the decrypted according to the newly encrypted password input by the user. Re-encrypting at least one private key and returning at least one new ciphertext after re-encryption;
- an update module configured to update the at least one ciphertext corresponding to the second user identifier to the at least one new ciphertext according to the second user identifier.
- the device provided by the embodiment of the present disclosure encrypts the private key by using an encrypted password, so that other users cannot decrypt the ciphertext to obtain the private key without knowing the encrypted password, and after the encryption, the embodiment of the present disclosure is still to be stored.
- the ciphertext is fragmented and stored, so that after the ciphertext to be stored is stolen by other users, even if other users steal the encrypted password of the user, the ciphertext to be stored cannot be restored, and the shared data used in the data sharing system is improved. The security of the identified identity information.
- the information storage device provided by the foregoing embodiment only uses the division of each functional module described above when storing information. In actual applications, the function distribution may be completed by different functional modules as needed. The internal structure of the device is divided into different functional modules to perform all or part of the functions described above.
- the information storage device and the information storage method embodiment provided by the foregoing embodiments are in the same concept, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
- FIG. 5 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- the terminal device may be used to perform the information storage method in the foregoing embodiments.
- the terminal device 500 includes:
- the terminal device 500 may include an RF (Radio Frequency) circuit 110, a memory 120 including one or more computer readable storage media, an input unit 130, a display unit 140, a sensor 150, an audio circuit 160, and WiFi (Wireless Fidelity,
- the Wireless Fidelity module 170 includes a processor 180 having one or more processing cores, and a power supply 190 and the like. It will be understood by those skilled in the art that the terminal device structure shown in FIG. 5 does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or a combination of certain components, or different component arrangements. among them:
- the RF circuit 110 can be used for transmitting and receiving information or during a call, and receiving and transmitting the signal. Specifically, after receiving the downlink information of the base station, the downlink information is processed by one or more processors 180. In addition, the data related to the uplink is sent to the base station. .
- the RF circuit 110 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc.
- RF circuitry 110 can also communicate with the network and other devices via wireless communication.
- the wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access). , Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
- GSM Global System of Mobile communication
- GPRS General Packet Radio Service
- CDMA Code Division Multiple Access
- WCDMA Wideband Code Division Multiple Access
- LTE Long Term Evolution
- e-mail Short Messaging Service
- the memory 120 can be used to store software programs and modules, and the processor 180 executes various functional applications and data processing by running software programs and modules stored in the memory 120.
- the memory 120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to The data created by the use of the terminal device 500 (such as audio data, phone book, etc.) and the like.
- memory 120 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 120 may also include a memory controller to provide access to memory 120 by processor 180 and input unit 130.
- the input unit 130 can be configured to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
- input unit 130 can include touch-sensitive surface 131 as well as other input devices 132.
- Touch-sensitive surface 131 also referred to as a touch display or trackpad, can collect touch operations on or near the user (such as a user using a finger, stylus, etc., on any suitable object or accessory on touch-sensitive surface 131 or The operation near the touch-sensitive surface 131) and driving the corresponding connecting device according to a preset program.
- the touch-sensitive surface 131 can include two portions of a touch detection device and a touch controller.
- the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
- the processor 180 is provided and can receive commands from the processor 180 and execute them.
- the touch-sensitive surface 131 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
- the input unit 130 can also include other input devices 132.
- other input devices 132 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
- the display unit 140 can be used to display information input by the user or information provided to the user and various graphical user interfaces of the terminal device 500, which can be composed of graphics, text, icons, video, and any combination thereof.
- the display unit 140 may include a display panel 141.
- the display panel 141 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
- the touch-sensitive surface 131 may cover the display panel 141, and when the touch-sensitive surface 131 detects a touch operation thereon or nearby, it is transmitted to the processor 180 to determine the type of the touch event, and then the processor 180 according to the touch event The type provides a corresponding visual output on display panel 141.
- touch-sensitive surface 131 and display panel 141 are implemented as two separate components to implement input and input functions, in some embodiments, touch-sensitive surface 131 can be integrated with display panel 141 for input. And output function.
- Terminal device 500 may also include at least one type of sensor 150, such as a light sensor, motion sensor, and other sensors.
- the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 141 according to the brightness of the ambient light, and the proximity sensor may close the display panel 141 when the terminal device 500 moves to the ear. And / or backlight.
- the gravity acceleration sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity.
- the terminal device 500 can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, here No longer.
- the audio circuit 160, the speaker 161, and the microphone 162 can provide an audio interface between the user and the terminal device 500.
- the audio circuit 160 can transmit the converted electrical data of the received audio data to the speaker 161 for conversion to the sound signal output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electrical signal by the audio circuit 160. After receiving, it is converted into audio data, and then processed by the audio data output processor 180, transmitted to the terminal device such as another terminal device via the RF circuit 110, or outputted to the memory 120 for further processing.
- the audio circuit 160 may also include an earbud jack to provide communication of the peripheral earphones with the terminal device 500.
- WiFi is a short-range wireless transmission technology
- the terminal device 500 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 170, which provides wireless broadband Internet access for users.
- FIG. 5 shows the WiFi module 170, it can be understood that it does not belong to the essential configuration of the terminal device 500, and may be omitted as needed within the scope of not changing the essence of the invention.
- the processor 180 is a control center of the terminal device 500, which connects various portions of the entire terminal device using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 120, and calling stored in the memory 120.
- the data performs various functions and processing data of the terminal device 500, thereby performing overall monitoring of the terminal device.
- the processor 180 may include one or more processing cores; optionally, the processor 180 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, and an application. Etc.
- the modem processor primarily handles wireless communications. It can be understood that the above modem processor may not be integrated into the processor 180.
- the processor 180 loads at least one instruction stored in the memory 120 and performs the following operations:
- the processor can also load the at least one instruction to perform the following operations:
- the information storage request carries the first user identifier, the account address, and the ciphertext to be stored, and the server corresponds to the first user identifier and the account address, and the fragment storage The ciphertext to be stored.
- the processor can also load the at least one instruction to perform the following operations:
- the processor can also load the at least one instruction to perform the following operations:
- the private key ciphertext and the signature information of the private key are used as the ciphertext to be stored.
- the processor can also load the at least one instruction to perform the following operations:
- the decryption information is a private key corresponding to the target account address.
- the processor can also load the at least one instruction to perform the following operations:
- the password ciphertext is stored such that the user can retrieve the first encrypted password based on the at least one set of security questions and answers.
- the processor can also load the at least one instruction to perform the following operations:
- the original encrypted password is consistent with the encrypted password set by the user, acquiring at least one ciphertext encrypted by using the original encrypted password;
- the terminal device 500 further includes a power source 190 (such as a battery) for supplying power to the various components.
- a power source 190 such as a battery
- the power source can be logically connected to the processor 180 through the power management system to manage functions such as charging, discharging, and power management through the power management system.
- Power supply 190 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
- the terminal device 500 may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
- the display unit of the terminal device is a touch screen display
- the terminal device further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be one or one The above processor executes.
- the one or more programs include executable instructions, and the terminal device 500 is configured to execute instructions to perform the method performed by the terminal device in the above embodiment of the information storage method.
- non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions executable by a processor in a terminal device to perform the information storage method of the above embodiments.
- the non-transitory computer readable storage medium may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, and an optical data storage device.
- FIG. 6 is a block diagram of an information storage apparatus according to an embodiment of the present disclosure.
- device 600 can be provided as a server.
- apparatus 600 includes a processing component 622 that further includes one or more processors, and memory resources represented by memory 632 for storing instructions executable by processing component 622, such as an application.
- An application stored in memory 632 can include one or more modules each corresponding to a set of instructions.
- processing component 622 is configured to execute instructions to perform the methods performed by the server in the above described information storage method embodiments.
- Device 600 may also include a power supply component 626 configured to perform power management of device 600, a wired or wireless network interface 650 configured to connect device 600 to the network, and an input/output (I/O) interface 658.
- Device 600 may operate based on an operating system stored in the memory 632, for example, Windows Server TM, Mac OS X TM , Unix TM, Linux TM, FreeBSD TM or the like.
- a non-transitory computer readable storage medium comprising instructions, wherein the storage medium stores at least one instruction, such as a memory including instructions, which may be processed by a server The device is executed to complete the information storage method applied to the server in the above embodiment; the at least one instruction may also be executed by a processor in the terminal device to complete the information storage method applied to the terminal device in the above embodiment.
- the non-transitory computer readable storage medium may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, and an optical data storage device.
- a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
- the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Power Engineering (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
本公开公开了一种信息存储方法、装置及计算机可读存储介质,属于信息技术领域。所述方法包括:获取第一加密密码和待存储的身份标识信息,身份标识信息包括账户地址及账户地址对应的私钥,账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;基于第一加密密码,对私钥进行加密,得到待存储密文;存储账户地址,并对应于账户地址,分片存储待存储密文。终端设备采用加密密码对私钥进行加密,使得其他用户在不知道加密密码的前提下无法对密文解密得到私钥,并且在加密后,将待存储密文进行了分片存储,使得待存储密文在被其他用户窃取之后,即使其他用户窃取得到用户的加密密码也无法还原出待存储密文,提高了身份标识信息的安全性。
Description
本申请要求于2017年03月03日提交中国国家知识产权局、申请号为201710124884.5、发明名称为“信息存储方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本公开涉及信息技术领域,特别涉及一种信息存储方法、装置及计算机可读存储介质。
随着信息技术的发展,区块链技术作为一项全新技术得到大力的发展。其中,区块链可以看作是一种去中心化的共享数据库,由按照时间顺序连接起来的区块组成,每个区块均存储有与前一个区块相关联的哈希值,使得区块链中各个区块之间存在不可逆转的强关联性。此外,由于每个区块所存储的与交易过程相关的共享数据,均是通过密码学方式进行身份验证后存储的,因此保证了交易以及数据的安全性,基于此,区块链技术目前逐渐被应用到金融等领域。
在应用到金融等领域的区块链技术中,采用账户地址和私钥作为在区块链上进行数据共享的身份标识信息,取代了传统应用中的用户名和密码。其中,一个账户地址对应一定余额,在任意一个节点将一个账户地址的部分或全部余额转移至另一个账户地址的过程中,需采用私钥对原始交易数据进行签名,该原始交易数据包括转出数额和转入账户地址,并将该原始交易数据及其签名广播到数据共享系统中的其他节点。其中,采用区块链技术存储共享数据的系统可以称为数据共享系统,数据共享系统中包括多个节点,各个节点均存储有数据共享系统的全部共享数据,可以看作是彼此的备份。当规定数目的节点对该原始交易数据的签名校验成功后,确定用户拥有对转出账户地址中余额的转移权,再将该转出数额转移至转入账户地址中,从而完成本次交易。
在实现本公开的过程中,发明人发现相关技术至少存在以下问题:
在整个交易过程中私钥是非常重要的,拥有了私钥便拥有了对账户地址对应余额的转移权。而在实际应用中,一个用户可以拥有多组账户地址和私钥,而区块链技术中账户地址和私钥均是没有规律的字符串,为了方便记忆,用户一般是将账户地址和私钥记录到备忘录中,该备忘录可以为电子文档,或者纸质文档。如果备忘录丢失或者被他人窃取,则很容易出现账户地址和私钥的泄漏问题,从而导致用户财产的损失。因此,在数据共享系统中,如何保证用户所拥有的账户地址和私钥的安全性,从而保证用户财产的安全性是亟需解决的一个问题。
发明内容
本公开实施例提供了一种信息存储方法、装置及计算机可读存储介质,解决了相关技术中存在的因账户地址和私钥容易泄漏,从而导致的用户财产容易出现损失的问题。所述技术方案如下:
一方面,提供了一种信息存储方法,应用于终端设备,所述方法包括:
获取第一加密密码和待存储的身份标识信息,所述身份标识信息包括账户地址及所述账户地址对应的私钥,所述账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;
基于所述第一加密密码,对所述私钥进行加密,得到待存储密文;
存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文。
另一方面,提供了一种信息存储方法,应用于服务器,所述方法包括:
当接收到终端设备发送的信息存储请求时,根据第一用户标识对用户进行身份验证,所述信息存储请求携带所述第一用户标识、账户地址和待存储密文;
如果身份验证成功,则根据预设配置信息,生成服务端序列化因子;
根据所述服务端序列化因子和所述待存储密文,获取所述待存储密文的多个密文片段;
对应所述第一用户标识存储所述账户地址,对应所述账户地址将所述多个密文片段分别存储至不同的密文数据库。
另一方面,提供了一种信息存储装置,所述装置包括:
第一获取模块,用于获取第一加密密码和待存储的身份标识信息,所述身份标识信息包括账户地址及所述账户地址对应的私钥,所述账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;
第一加密模块,用于基于所述第一加密密码,对所述私钥进行加密,得到待存储密文;
第一存储模块,用于存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文。
另一方面,提供了一种信息存储装置,所述装置包括:
验证模块,用于当接收到终端设备发送的信息存储请求时,根据第一用户标识对用户进行身份验证,所述信息存储请求携带所述第一用户标识、账户地址和待存储密文;
生成模块,用于如果身份验证成功,则根据预设配置信息,生成服务端序列化因子;
第一获取模块,用于根据所述服务端序列化因子和所述待存储密文,获取所述待存储密文的多个密文片段;
存储模块,用于对应所述第一用户标识存储所述账户地址,对应所述账户地址将所述多个密文片段分别存储至不同的密文数据库。
另一方面,提供了一种信息存储装置,包括:一个或多个处理器、存储器,所述存储器用于存储至少一条指令,所述至少一条指令由所述处理器加载并执行以下操作:
获取第一加密密码和待存储的身份标识信息,所述身份标识信息包括账户地址及所述账户地址对应的私钥,所述账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;
基于所述第一加密密码,对所述私钥进行加密,得到待存储密文;
存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文。
另一方面,提供了一种信息存储装置,包括:一个或多个处理器、存储器,所述存储器用于存储至少一条指令,所述至少一条指令由所述处理器加载并执行以下操作:
当接收到终端设备发送的信息存储请求时,根据第一用户标识对用户进行身份验证,所述信息存储请求携带所述第一用户标识、账户地址和待存储密文;
如果身份验证成功,则根据预设配置信息,生成服务端序列化因子;
根据所述服务端序列化因子和所述待存储密文,获取所述待存储密文的多个密文片段;
对应所述第一用户标识存储所述账户地址,对应所述账户地址将所述多个 密文片段分别存储至不同的密文数据库。
另一方面,提供了一种存储介质,所述存储介质中存储有至少一条指令,所述至少一条指令由处理器加载并执行以实现上述的应用于终端设备的信息存储方法。
另一方面,提供了一种存储介质,所述存储介质中存储有至少一条指令,所述至少一条指令由处理器加载并执行以实现如上述的应用于服务器的信息存储方法。
本公开实施例提供的技术方案带来的有益效果是:
终端设备采用加密密码对私钥进行加密,使得其他用户在不知道加密密码的前提下无法对密文解密得到私钥,并且在加密后,本公开实施例还将待存储密文进行了分片存储,使得待存储密文在被其他用户窃取之后,即使其他用户窃取得到用户的加密密码也无法还原出待存储密文,提高了用于对数据共享系统中的共享数据进行标识的身份标识信息的安全性。
为了更清楚地说明本公开实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1A是本公开实施例提供的一种数据共享系统的系统示意图;
图1B是本公开实施例提供的一种用于进行信息存储的系统架构图;
图1C是本公开实施例提供的一种用于进行信息存储的系统架构图;
图2A是本公开实施例提供的一种信息存储方法的流程图;
图2B是本公开实施例提供的一种信息存储的数据流图;
图2C是本公开实施例提供的一种密文获取的流程图;
图2D是本公开实施例提供的一种加密密码修改的流程图;
图2E是本公开实施例提供的一种分片存储的原理示意图;
图2F是本公开实施例提供的一种分片存储的原理示意图;
图3是本公开实施例提供的一种信息存储装置的框图;
图4是本公开实施例提供的一种信息存储装置的框图;
图5是本公开实施例提供的一种终端设备的结构示意图;
图6是本公开实施例提供的一种信息存储装置的框图。
为使本公开的目的、技术方案和优点更加清楚,下面将结合附图对本公开实施方式作进一步地详细描述。
在对本公开进行详细的解释说明之前,先对本实施例涉及的数据共享系统进行介绍,如图1A所示,数据共享系统100包括多个节点101,每个节点101是数据共享系统100中的计算机设备,该计算机设备可以看作是客户端,也可以看作是服务器,节点101用于存储数据共享系统100中的全部共享数据。数据共享系统100采用区块链技术进行数据共享,是一个去中心化的系统,也即是,数据共享系统100中没有中心节点,各个节点101在数据共享系统100中的地位是平等的,每个节点101均存储有相同的区块链。其中,区块链上包括多个区块,每个区块存储有不同的数据,区块链上全部区块存储的数据组成了数据共享系统100的全部共享数据。由于每个节点101均存储有数据共享系统100的全部共享数据,使得数据共享系统100中只要存在正常工作的节点101,整个系统便可以正常运行。
其中,基于区块链的数据共享系统100采用账户地址和私钥作为数据共享的身份标识信息。数据共享即为在不同账户地址之间进行数据交换,在数据交换过程中生成共享数据,该共享数据存储在数据共享系统100中各个节点101的区块中。其中,一次数据交换生成的共享数据都是在确定数据交换成功之后,再存储到区块中的。
其中,数据共享系统100可为交易系统,比如金融交易系统等。当数据共享系统100为交易系统时,不同账户地址之间交换的数据即为账户地址对应的转账数额,相应的,各节点101存储的共享数据即为交易的账本数据。下面以交易系统为例对共享数据的生成过程进行介绍:例如,数据共享系统100中的一个节点将转账数额从账户地址A转移到账户地址B。在交易过程中,需要采用与账户地址A对应的私钥,对原始交易数据进行签名,该原始交易数据包括转账数额和转入账户地址。之后,将该原始交易数据及其签名广播到数据共享系统100中的其他节点。其他节点根据公钥对该签名进行校验,当规定数目的节点对共享数据中的签名均校验成功时,确定用户拥有对转出账户地址中余额的转移权,再将该转账数额转移至转入账户地址中,从而完成本次交易。
其中,对签名进行校验的过程是一个零知识证明的过程,在零知识证明过程中,证明者向验证者证明并使其相信自己知道或拥有某个账户地址的转移权,但证明过程中不能向验证者泄露关于被证明消息的信息。也即是,转出方不会向校验节点发送私钥信息,而是通过私钥签名和公钥来使其他节点进行身份的校验。数据共享系统100中任意一个节点101可以通过本地存储的节点标识列表,向其他节点发送信息。节点101的节点标识可以为IP(Internet Protocol,网络之间互联的协议)地址或者其他任一种能够标识该节点的信息,本实施例对此不作限定。
在实际应用中,一个用户可以拥有多组账户地址和私钥,区块链中可以通过一定算法由私钥得出公钥,再由公钥得到与该私钥对应的账户地址。因此,作为数据共享系统100中的身份验证信息,私钥是非常重要的,私钥的丢失会直接导致用户财产的损失。因此,为了保证用户在数据共享系统100中拥有的账户地址和私钥的安全性,本实施例提供了一种信息存储方法,具体过程参见图2A所提供的实施方式。
图1B和图1C是本实施例提供的一种用于信息存储的系统架构图,该系统可以对数据共享系统中的账户地址和私钥进行安全存储。图1B和图1C分别从逻辑层面和设备部署层面介绍了用于信息存储的系统架构。
其中,根据访问安全策略的不同,该系统所涉及的网络类型可以包括公网、域外网和域内网。公网中包括用户的终端设备110,终端设备110可以任意访问互联网,彼此之间也可以互相访问。
域外网作为域内网设备与公网设备进行交互的桥梁,其内部设置了用于连接域内和公网的网关设备116。在实际应用时,可以将网关设备116划分成多个网关设备组,不同网关设备组均与负载均衡设备118连接。其中,负载均衡设备118用于根据系统负载对终端设备110的信息存储相关请求进行分流,进而由不同网关设备组将请求分别转发至不同的服务器进行处理。
域内网中设置有用于提供信息存储服务的至少一个服务器112,以及用于存储信息的至少一个存储节点,每个存储节点包括一个密文数据库114。其中,不同信息存储服务可以由不同服务器提供,也可以由一个服务器中的不同存储节点提供,本实施例对此不作限定。不同信息存储服务可以对应不同的存储节点,每个信息存储服务用于将信息存储在相应存储节点的密文数据库中。
图1B中仅以信息存储服务来表示系统逻辑架构,其中,信息存储服务与密文数据库之间采用配置的数据库访问接口进行数据存储。
图1C中展示了服务器部署方式,其中,不同网关设备组对应不同的服务器,每个服务器对应多个存储节点。该种部署方式称之为多点部署。在存储过程中,将需要存储的数据采用序列化因子进行分片存储,比如,将待存储数据划分为多个数据段,对多个数据段采用序列化因子进行序列化后,分别存储至不同的存储节点。对于一条完整的数据,在分片存储之后,不同存储节点的密文数据库存储有该数据的数据片段,当一个服务器对应的所有存储节点均存储成功时,方可确定该数据存储成功。
其中,分片后得到的不同数据片段中可以包含相同的信息,但是不同的数据片段之间又不完全相同。服务器可以根据数据库存储的部分数据片段,还原出一条完整的数据。当一个密文数据库故障时,可以通过其他密文数据库还原出该故障密文数据库存储的内容,从而在设备故障时实现密文数据库的数据同步。
其中,终端设备110和服务器112之间通过预设的信息存储接口进行数据交互,终端设备110以及服务器112上均实现了该信息存储接口的逻辑功能。
需要说明的是,终端设备110与网关设备116之间、以及网关设备116与服务器112之间均采用加密传输方式进行数据交互,以保证数据传输的安全性。其中,网关设备116与服务器112之间进行交互时,彼此之间需要进行身份验证,例如,网关设备116中可以预先配置能够进行数据交互的服务器标识,如服务器的IP地址等,当网关设备116需要向服务器112转发数据或者将服务器112的数据转发至终端设备110时,需要确定涉及到的服务器的服务器标识包含在配置的服务器标识中才进行数据转发,否则不进行数据转发。另外,服务器112也可以配置能够进行数据交互的网关设备116的网关标识,当服务器112确定接收到的数据来自能够进行数据交互的网关设备116时,才进行数据接收,否则不进行数据接收。
图2A是本公开实施例提供的一种信息存储方法的流程图,参见图2A,本公开实施例提供的方法流程包括:
201、终端设备获取第一加密密码和待存储的身份标识信息,该身份标识信息包括账户地址及该账户地址对应的私钥,该账户地址是在数据共享系统中 生成存储于区块的共享数据时所采用。
终端设备可以安装提供信息存储功能的应用,用户可以通过该应用进行信息存储,比如将拥有的多个账户地址以及每个账户地址对应的私钥进行存储。当用户首次使用该应用时,需要设定用于加密私钥的第一加密密码。
其中,该应用可以为终端设备上的非系统应用,也可以为终端设备上的系统应用,本实施例对此不作限定。当然,该存储功能也可以为一个应用内多项功能中的一项功能,例如,该存储功能是交易相关应用提供的账户信息存储功能等。当用户需要使用该存储功能时,终端设备显示身份标识信息的输入界面,用户可以在该身份标识信息的输入界面中,输入第一加密密码以及需要存储的账户地址及其对应的私钥,以使终端设备获取到需要存储的身份标识信息。
在本实施例中,为了保证用户的第一加密密码的安全性,服务器端不对用户的第一加密密码进行任何形式的存储,并且终端设备也不会与服务器之间进行第一加密密码的交互。此外,终端设备也不会存储第一加密密码的明文,用户可以通过设置的密保问题和答案来对第一加密密码进行加密后存储在终端设备本地,使得在用户忘记第一加密密码时,可以通过预先设置的密保问题来找回第一加密密码。
例如,当用户首次使用终端设备提供的存储功能时,在设定第一加密密码之前或之后,通过终端设备提供的密保问题设置功能,进行密保问题的设置,该过程可以为:终端设备根据用户的密保问题设置操作,获取至少一组密保问题和答案;终端设备根据至少一组密保问题和答案,对第一加密密码进行加密,得到密码密文;终端设备存储密码密文,以便用户能够根据至少一组密保问题和答案找回第一加密密码。
其中,终端设备可以预先设置至少一个密保问题,由用户根据该至少一个密保问题设置相应的答案,当然,密保问题也可以由用户手动设置,本实施例对此不作限定。当终端设备获取到用户设置的至少一组密保问题和答案后,可以采用该至少一组密保问题和答案中的一组或多组的组合,以及预设的加密算法来对用户设定的第一加密密码进行加密。该预设的加密算法可以为对称或非对称加密算法,本实施例对此不作限定。
需要说明的第一点是,为了保证第一加密密码的安全性,终端设备在采用至少一组密保问题和答案对第一加密密码进行加密存储后,会删除第一加密密码的缓存信息,以及删除密保问题和答案的缓存信息,使得终端设备不存储任 何加密密码、密保问题和答案的明文信息,从而实现即使在用户设备被盗之后,其他用户在不知道密保问题答案的前提下,也无法获取用户的第一加密密码。
需要说明的第二点是,当用户拥有多组账户地址和私钥时,可以通过终端设备一次性存储多组账户地址和私钥,也可以一次存储一组账户地址和私钥,本实施例对此不作限定。
202、终端设备基于第一加密密码,对私钥进行加密,得到待存储密文。
终端设备基于第一加密密码,对私钥进行加密,得到待存储密文的过程可以为:根据第一加密密码和第一预设加密算法对私钥进行加密,得到私钥密文;之后,根据第二预设加密算法,获取私钥的签名信息;将私钥密文和私钥的签名信息作为待存储密文。
其中,第一预设加密算法可以为3DES(Triple Data Encryption Algorithm,三重数据加密算法)、AES(Advanced Encryption Standard,高级加密标准)、RSA(RSA Algorithm,RSA加密算法)等对称或非对称加密算法。终端设备可以预先设置一个或多个加密算法,用户可以根据需要选取其中的一种加密算法进行加密。需要说明的是,由于账户地址可以由私钥根据一定算法推导出来,因此,终端设备可以不必对账户地址进行加密。
其中,第二预设加密算法可以为HMAC-SHA256等哈希算法,该第二预设加密算法用于对私钥进行签名和验证。在得到私钥密文和私钥的签名信息后,可以将私钥的签名信息放在私钥密文之后,进而得到待存储密文。
203、终端设备向服务器发送信息存储请求,该信息存储请求中携带第一用户标识、账户地址和待存储密文。
终端设备可以与服务器之间建立安全连接,比如,建立基于HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer,安全超文本传输协议)或TLS(Transport Layer Security,安全传输层协议)的连接等,以确保数据传输的安全。
其中,第一用户标识可以为用户在使用终端设备的存储功能时授权第三方账户登录的授权信息,该第三方账户可以为保密性能较好的应用账户,该应用账户又可以为即时通讯应用账户、电子商务类应用等,本实施例对此不作限定。例如,用户在使用该存储功能时,需要授权第三方账户登录,第三方账户服务器在确认授权后,可以根据该第三方账户生成授权序列号,该授权序列号即为第三方账户的授权信息,且该授权序列号可以唯一标识该第三方账户。第三方 账户服务器将该授权序列号发送至终端设备,以使得提供信息存储服务的服务器能够根据接收到的第一用户标识,通过第三方账户服务器验证该第一用户标识的正确性。其中,第一用户标识对应的账户地址可能存在多个。
需要说明的是,为了保证同一用户标识对应密文的加密方式的一致性,终端设备在向服务器发送信息存储请求之前,还需要对用户输入的第一加密密码进行验证,如果通过验证,则确定该第一加密密码即为用户设定的加密密码,之后再执行该步骤203,当然,该验证的过程还可以在步骤201之后、步骤202之前执行,本实施例对此不作限定。
其中,可以采用如下两种密码验证方式该对第一加密密码进行验证:
第一种密码验证方式、终端设备通过向服务器请求加密的密文来进行密码验证。
该种方式的密码验证过程可以为:终端设备向服务器发送密码验证请求,该密码验证请求中携带第一用户标识;服务器根据接收到的第一用户标识,从与该第一用户标识对应的至少一个密文中任意获取一个密文返回给终端设备;终端设备采用用户输入的第一加密密码对该接收到的密文进行解密,如果解密成功,则确定该第一加密密码为用户设定的加密密码,否则,确定该第一加密密码不是用户设定的加密密码,拒绝终端设备向服务器进行信息存储。
需要说明的是,服务器除了可以向终端设备返回一个密文,由终端设备基于该密文进行密码验证之外,还可以根据第一用户标识向终端设备返回一个密文片段,由终端设备基于该密文片段进行密码验证,本实施例对此不作限定。
第二种密码验证方式、终端设备通过密保问题和答案进行密码验证。
该种方式的密码验证过程为:终端设备可以显示密码验证界面,该密码验证界面中显示至少一个密保问题,用户需要对该至少一个密保问题输入相应的答案,终端设备根据至少一个密保问题以及用户输入的答案,对存储的密码密文进行解密,如果解密成功,则确定获取到的第一加密密码为用户设定的加密密码,第一加密密码与第一用户标识对应,继续执行向服务器进行信息存储的步骤;如果解密失败,则确定获取的第一加密密码不是用户设定的加密密码,终端设备拒绝执行向服务器进行信息存储的过程。
需要说明的是,该第二种密码验证方式可以应用在终端设备第一次向服务器上传与第一用户标识对应的账户地址和密文时,也即,此时服务器还没有存储与该第一用户标识对应的账户地址和密文。其中,终端设备确定服务器端没 有存储该第一用户标识对应的账户地址和密文的过程可以为:终端设备向服务器发送密码验证请求,该密码验证请求携带第一用户标识;如果服务器根据接收到的第一用户标识,确定没有存储与该第一用户标识对应的账户地址和密文,则向终端设备返回未存储消息;终端设备在接收到该未存储消息后,执行上述第二种密码验证的过程。
204、服务器当接收到终端设备发送的信息存储请求时,根据该信息存储请求中携带的第一用户标识对用户进行身份验证。
在本实施例中,将提供信息存储服务的服务器简称为服务器,而涉及的第三方账户对应的服务器称为第三方账户服务器。
其中,服务器根据第一用户标识对用户进行身份验证的过程可以为:服务器根据第一用户标识信息向第三方账户服务器发送身份验证请求,如果第三方账户服务器记录有该第一用户标识,也即是,第三账户服务器确认该第一用户标识对应的用户在使用终端设备的存储功能时授权了第三方账户登录,则第三方账户服务器返回验证成功消息,否则返回验证失败消息。
当服务器接收到第三方服务器的验证成功消息后,确定用户的身份验证成功;当服务器接收到第三方服务器的验证失败消息后,确定用户的身份验证失败,并将该验证失败消息发送至终端设备,以终止终端设备本次的信息存储过程。
此外,为了进一步保证账户地址对应密文的安全性,在对终端设备的身份验证成功后,服务器还可以将获取的待存储密文进行分片存储,该过程包括下述步骤205至步骤207。
205、如果身份验证成功,则服务器根据预设配置信息,生成服务端序列化因子。
在本实施例中,服务器可以配置多个存储节点,不同存储节点可以部署在不同的计算机设备上,也可以部署在相同的计算机设备上,相应的本实施例所指的服务器可以包括一个计算机设备也可以包括多个计算机设备。服务器可以预先对每个存储节点设置配置信息,使得每个存储节点均具有预设配置信息。其中,预设配置信息可以包括存储节点的节点标识、存储能力信息等可以配置的信息。
其中,服务器可以根据每个存储节点的预设配置信息,生成每个存储节点各自对应的服务端序列化因子。预设配置信息不同的存储节点,对应的服务端 序列化因子也不相同。此时,该步骤205所指示的服务端序列化因子,可以看作是不同存储节点对应的序列化因子的统称。其中,每个存储节点可以看作是一个密文数据库,每个存储节点对应的预设配置信息可以相同也可以不同,本实施例对此不作限定。
206、服务器根据服务端序列化因子和待存储密文,获取待存储密文的多个密文片段。
服务器在获取到待存储密文后,可以根据预设分片算法,将该待存储密文划分为多个数据段;之后,服务器根据多个存储节点对应的服务端序列化因子,分别对该多个数据段进行序列化,进而得到该待存储密文的多个密文片段。
其中,对一个数据段进行序列化是指采用预设序列化算法和服务端序列化以因子,将该数据段所包含的字符与一些随机字符进行随机组合,得到相应的密文片段。
其中,该多个数据段所包含的数据为该待存储密文所包含数据的子集,不同的数据段可以包含相同的数据,且不同的数据段不完全相同,以使得服务器根据该多个数据段中的部分数据段便能够还原得到该待存储密文。其中,该多个数据段的数目可以由服务器根据实际存储需求设定或修改,例如,当实际应用中希望通过两个存储节点便能够进行数据还原时,该多个数据段的数目至少为3个,相应地,服务器需要部署3个存储节点。
通过采用序列化因子,获取待存储密文的多个密文片段,实现了将待存储密文进行分片存储的基础上,在每一个密文片段内部还进行了序列化加密存储,更进一步地提高了信息存储的安全性。
207、服务器对应第一用户标识存储该账户地址,并对应该账户地址将多个密文片段分别存储至不同的密文数据库。
在本实施例中,服务器会将用户标识和账户地址对应存储,并且可以记录每个密文片段的存储位置,实现将账户地址与每个密文片段的存储位置对应起来,使得根据用户标识和账户地址便可以唯一确定一个密文,也即是,将用户标识和账户地址作为密文的索引。其中,将多个密文片段分别存储至不同的密文数据库是指,将该多个密文片段分别存储至不同的存储节点,在每个存储节点均确定存储成功之后,服务器才确定该多个密文片段存储成功,此时,服务器可以向终端设备返回存储成功的消息。
上述步骤203至207为存储账户地址,并对应于账户地址,分片存储待存 储密文的过程,该过程中终端设备将第一用户标识、需要存储的账户地址和待存储密文发送至服务器,由服务器对应第一用户标识存储账户地址,并对应账户地址分片存储待存储密文。通过将待存储密文进行分片,并将划分出来的多个数据段分别序列化后存储至不同的密文数据库,使得即使密文数据库的信息被其他用户窃取,其他用户也不能还原出完整的密文,更不可能得到密文对应的私钥,提高了信息存储的安全性。
为了更加清楚的说明上述步骤201至步骤207的过程,图2B示出了该过程对应的数据流图,其中序列化是指采用服务端序列化因子对密文进行序列化。通过将账户地址和密文存储在服务器端,使得合法用户可以通过任何设备来访问服务器端存储的账户地址和密文,在提高了安全存储的同时实现了信息的云端存储。
在另一种实施方式中,终端设备还可以将账户地址和待存储密文存储在本地,实现将信息基于终端设备存储,使得存储的信息与网络隔绝,其他用户无法通过网络途径窃取终端设备本地存储的信息,提高了信息存储的安全性。相应的,本实施例的信息存储方法在步骤202之后,还可以过程包括下述步骤a1至步骤a3:
步骤a1:终端设备根据本地终端的设备标识信息,生成客户端序列化因子。
终端设备可以在用户选择了将账户地址和待存储密文进行本地存储后,执行该步骤a1;当然终端设备也可以在获取到账户地址和待存储密文后,默认执行该步骤a1,以将账户地址和待存储密文存储在本地。其中,将账户地址和待存储密文存储至本地和存储至服务器的过程可以同时执行,也可以分别执行,本实施例对此不作限定。
步骤a2:终端设备根据客户端序列化因子和待存储密文,获取待存储密文的多个密文片段。
终端设备可以根据预设分片算法,将该待存储密文划分为多个数据段;终端设备根据该客户端序列化因子分别对该多个数据段进行序列化,得到该待存储密文的多个密文片段。
步骤a3:将多个密文片段分别存储至不同的本地密文数据库,建立账户地址与多个密文片段之间的对应关系。
终端设备可以记录每个密文片段的存储位置,将账户地址与每个密文片段的存储位置对应起来。其中,不同的密文片段可以存储至终端设备的不同磁盘 分区,或者存储在同一个磁盘分区的不同位置,以使得存储的多个密文片段是无序的,从而在第一加密密码进行加密的基础上,进一步保证信息存储的安全性。
需要说明的是,在终端设备存储账户地址和待存储密文时,用户可以指定相应的存储目录和文件名。由于不同终端设备的设备标识信息不同,不同终端设备对应的客户端序列化因子通常也不同,因此,即使某个终端设备存储的信息被其他用户窃取,其他用户也不能使用其他终端设备获取该信息的具体内容。而且,终端设备本地不会存储该客户端序列化因子,该客户端序列化因子是终端设备获取待存储密文的多个密文过程中的中间产生数据,且即使在上述获取多个密文片段的过程中缓存了该客户端序列化因子,终端设备在获取到待存储密文的多个密文片段后,也会清除缓存的客户端序列化因子,以确保其他用户不会获取到该客户端序列化因子,从而保证本地信息存储的安全性。
需要说明的是,终端设备在执行步骤a1至步骤a3之前,也可以采用与上述两种密码验证方式同理的方式进行密码验证。与上述两种方式不同点仅在于,针对上述第一种密码验证方式,终端设备从本地密文数据库中任意获取一个密文。针对上述第二种密码验证方式、终端设备在确定本地没有存储账户地址和对应密文后,执行上述第二种密码验证方式的过程,针对同理的密码验证过程,在此不再赘述。
在本实施例中,用户在将账户地址及其对应的密文存储至密文数据库之后,当需要在数据共享系统中进行数据交换时,终端设备可以从密文数据库中获取需要进行数据交换的账户地址对应的密文,并在对密文进行解密后,得到账户地址对应的私钥,从而终端设备可以使用该私钥对交换数据进行签名,以进行后续的数据交换过程。其中,终端设备获取账户地址对应的密文的过程可以包括下述步骤b1至步骤b5,为了更加清楚的说明该流程,图2C示出了终端设备从服务器获取密文的流程。
步骤b1:终端设备在检测到信息获取操作时,获取用户输入的第二加密密码和目标账户地址。
步骤b2:终端设备在验证第二加密密码与用户设定的加密密码一致后,获取与目标账户地址对应的密文。
其中,终端设备验证该第二加密密码与用户设定的加密密码是否一致的过程,与上述两种密码验证过程同理,在此不再赘述。
其中,终端设备可以通过如下两种方式获取与目标账户地址对应密文:
第一种方式、终端设备从本地密文数据库中获取与该目标账户地址对应的密文。
当终端设备本地存储有账户地址和对应的密文时,终端设备可以根据该目标账户地址,从密文数据库中获取与该目标账户地址对应的密文。需要说明的是,对于有些账户地址和密文,可能没有存储在终端设备中,而是存储在服务器端,因此,终端设备可以在查询本地密文数据库中不存在与该目标账户地址对应的密文时,再通过下述第二种方式从服务器获取与该目标账户地址对应的密文。
第二种方式、终端设备从服务器获取与该目标账户地址对应的密文。
在该种方式中,终端设备获取与该目标账户地址对应密文的过程可以为:终端设备向服务器发送密文获取请求,该密文获取请求中包括该目标账户地址;当服务器接收到密文获取请求时,根据目标账户地址,获取与目标账户地址对应的至少两个密文片段;服务器根据服务端序列化因子,对该至少两个密文片段进行反序列化,得到与目标账户地址对应的密文,并将该密文发送至终端设备。
其中,为了提高服务器获取与目标账户地址对应密文的效率,该密文获取请求中还可以携带用户标识,以使得服务器可以在该用户标识对应的账户地址和密文范围内进行查询。需要说明的是,服务器还可以在接收到密文获取请求时,利用用户标识进行身份验证,身份验证成功后再执行获取与目标账户地址对应的至少两个密文片段的步骤,否则返回身份验证失败消息,终止该密文获取的流程。其中,该身份验证的过程与步骤204中身份验证的过程同理,在此不再赘述。
其中,服务器根据服务端序列化因子,对该至少两个密文片段进行反序列化,得到该目标账户地址对应的密文的过程可以为:服务器根据目标地址对应的多个密文片段的存储位置,从多个存储节点包含的至少两个存储节点中获取该至少两个密文片段;对于该至少两个存储节点中的每个存储节点,根据该存储节点的配置信息,生成该存储节点的服务端序列化因子,并根据该服务端序列化因子对该存储节点对应的密文片段进行反序列化。在将该至少两个密文片段均进行反序列化之后,得到与该目标账户对应的密文。
步骤b3:终端设备根据第二加密密码和第一预设加密算法,对密文包括的 私钥密文进行解密,得到解密信息。
步骤b4:终端设备根据第二预设加密算法,获取解密信息的签名信息。
步骤b5:如果解密信息的签名信息与密文包括的签名信息相同,终端设备确定解密信息为与目标账户地址对应的私钥。
在本实施例中,用户还可以对加密密码进行修改,当服务器存储有用户的账户地址及其对应的密文时,该过程可以包括下述步骤c1至步骤c7,为了更加清楚的说明该流程,图2D示出了终端设备与服务器交互修改密码的流程。
步骤c1:当终端设备检测到加密密码的修改操作时,获取用户输入的原加密密码和新加密密码。
步骤c2:如果该原加密密码与用户设定的加密密码一致,终端设备获取采用该原加密密码进行加密的至少一个密文。
其中,终端设备可以验证该原加密密码与用户设定的密码是否一致,验证过程与上述两种密码验证方式同理,在此不再赘述。
其中,终端设备可以通过如下两种方式获取采用该原加密密码进行加密的至少一个密文,该至少一个密文为采用该原加密密码进行加密的所有密文。
第一种方式、终端设备从服务器获取该至少一个密文。
在该种方式中,终端设备获取该至少一个密文的过程可以为:终端设备向服务器发送密码修改请求,该密码修改请求中携带用户标识;当服务器接收到终端设备发送的密码修改请求时,根据密码修改请求中携带的第二用户标识,获取与第二用户标识对应的至少一个密文,该与第二用户标识对应的至少一个密文即为采用该原加密密码进行加密的至少一个密文;之后,服务器将该至少一个密文发送至终端设备。
需要说明的是,服务器获取与第二用户标识对应的至少一个密文的过程中,会对每个账户地址对应的多个密文片段进行反序列化,进而得到每个账户地址对应的密文,该反序列化的过程与步骤b2中终端设备从服务器获取与该目标账户地址对应的密文时,服务器对密文片段进行反序列化的过程同理,在此不做赘述。
需要说明的是,服务器还可以在接收到密文获取请求时,利用第二用户标识对用户进行身份验证,在身份验证成功后,再执行获取与第二用户标识对应的至少一个密文的步骤,否则返回身份验证失败消息,终止该加密密码修改的流程。其中,该用户身份验证的过程与步骤204中身份验证的过程同理,在此 不再赘述。
第二种方式、终端设备从本地获取该至少一个密文。
终端设备可以从本地密文数据库获取存储的至少一个账户地址及其对应的至少一个密文。其中,对于每个账户地址对应的密文,终端设备根据本地的设备标识信息,生成客户端序列化因子,利用该客户端序列化因子,对该账户地址对应的多个密文片段进行反序列化,得到该账户地址对应的密文。
步骤c5:终端设备采用原加密密码对至少一个密文中的每个密文进行解密,得到该至少一个密文对应的至少一个私钥。
对于每个密文,终端设备对其的解密过程与上述步骤b3至b5同理,在此不再赘述。
步骤c6:终端设备采用新加密密码对至少一个私钥中的每个私钥进行重新加密,得到至少一个新密文,根据该至少一个密文对应的至少一个账户地址,存储该至少一个新密文。
其中,对于每个私钥,终端设备对其的加密过程与步骤202同理,在此不做赘述。
其中,可以采用如下两种方式存储该至少一个新密文。
第一种方式、终端设备将该至少一个新密文发送至服务器,由服务器进行存储。
在该种方式中,服务器可以根据第二用户标识,将该第二用户标识对应的至少一个密文更新为该至少一个新密文。例如,在步骤c2中,服务器向终端设备发送的至少一个密文可以具有一定的顺序,该顺序用于标识该至少一个密文对应的至少一个账户地址的顺序。终端设备也可以按照相同的顺序返回与该至少一个密文对应的至少一个新密文,使得服务器可以根据该顺序对应该至少一个账户地址,实现分片存储该至少一个新密文。
第二种方式、终端设备将该至少一个新密文存储在本地。
在步骤c2中,终端设备获取的至少一个密文可以具有一定的顺序,该顺序用于标识该至少一个密文对应的至少一个账户地址的顺序。基于该顺序,终端设备可以对应该至少一个账户地址,实现分片存储该至少一个新密文,该分片存储的过程与步骤a1至步骤a3同理,在此不再赘述。
此外,用户还可以对存储的账户地址和密文进行删除或修改等操作。在本实施例中,终端设备还提供了信息存储的日志查询功能,例如,终端设备可以 记录用户使用该信息存储功能的日志,比如信息存储日志、信息读取日志、信息删除日志、密码修改日志等。记录的日志中包括终端设备的IP地址以及用户行为信息,该用户行为信息可以为信息存储、信息读取、信息删除、密码修改等相关信息。
为了更加清楚的说明采用序列化的方式对密文进行分片存储的过程,图2E示出了采用序列化因子对密文进行序列化和反序列化的示意图,该序列化因子可以为服务端序列化因子也可以为客户端序列化因子。在图2E中,密文包括多字符,图2E中每个方格代表一个字符。该密文A被存储为三个密文片段,分别为密文片段A、密文片段B和密文片段C,密文片段中采用斜线填充的方格为序列化过程中填充的冗余字符。
图2F中示出了服务器或终端设备将密文对应的密文片段存储至不同密文数据库的示意图,其中,在图2F中以将密文片段A存储至密文数据库A、将密文片段B存储至密文数据库B。将密文片段C存储至密文数据库C为例示出。当然,在存储后,还可以从密文数据库中读取相应的密文片段。
本实施例提供的方法,终端设备采用加密密码对私钥进行加密,使得其他用户在不知道加密密码的前提下无法对密文解密得到私钥,并且在加密后,本公开实施例还将待存储密文进行了分片存储,使得待存储密文在被其他用户窃取之后,即使其他用户窃取得到用户的加密密码也无法还原出待存储密文,提高了用于对数据共享系统中的共享数据进行标识的身份标识信息的安全性。
图3是本公开实施例提供的一种信息存储装置的框图。参照图3,该装置包括第一获取模块301,第一加密模块302和第一存储模块303。
其中,第一获取模块301与第一加密模块302连接,用于获取第一加密密码和待存储的身份标识信息,该身份标识信息包括账户地址及该账户地址对应的私钥,该账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;第一加密模块302与第一存储模块303连接,用于基于该第一加密密码,对该私钥进行加密,得到待存储密文;第一存储模块303,用于存储该账户地址,并对应于该账户地址,分片存储该待存储密文。
在一种可能的实现方式中,该第一存储模块用于向服务器发送信息存储请求,该信息存储请求携带第一用户标识、该账户地址和该待存储密文,由该服务器对应该第一用户标识和该账户地址,分片存储该待存储密文。
在一种可能的实现方式中,该第一存储模块用于根据本地终端设备的设备标识信息,生成客户端序列化因子;根据该客户端序列化因子和待存储密文进行分片,获取该待存储密文的多个密文片段;将该多个密文片段分别存储至不同的本地密文数据库,建立该账户地址与该多个密文片段之间的对应关系。
在一种可能的实现方式中,该第一加密模块用于根据该第一加密密码和第一预设加密算法对该私钥进行加密,得到私钥密文;根据第二预设加密算法,获取该私钥的签名信息;将该私钥密文和该私钥的签名信息作为该待存储密文。
在一种可能的实现方式中,该装置还包括:
第二获取模块,用于当检测到信息获取操作时,获取用户输入的第二加密密码和目标账户地址;
第三获取模块,用于如果该第二加密密码与用户设定的加密密码一致,则获取与该目标账户地址对应的密文;
第一解密模块,用于根据该第二加密密码和该第一预设加密算法,对该密文包括的私钥密文进行解密,得到解密信息;
第四获取模块,用于根据该第二预设加密算法,获取该解密信息的签名信息;
确定模块,用于如果该解密信息的签名信息与该密文包括的签名信息相同,则确定该解密信息为与该目标账户地址对应的私钥。
在一种可能的实现方式中,该装置还包括:
第五获取模块,用于根据用户的密保问题设置操作,获取至少一组密保问题和答案;
第二加密模块,用于根据该至少一组密保问题和答案,对该第一加密密码进行加密,得到密码密文;
第二存储模块,用于存储该密码密文,以便该用户能够根据该至少一组密保问题和答案找回该第一加密密码。
在一种可能的实现方式中,该装置还包括:
第六获取模块,用于当检测到加密密码的修改操作时,获取用户输入的原加密密码和新加密密码;
第七获取模块,用于如果该原加密密码与用户设定的加密密码一致,则获取采用该原加密密码进行加密的至少一个密文;
第二解密模块,用于采用该原加密密码对该至少一个密文中每个密文进行解密,得到该至少一个密文对应的至少一个私钥;
所述第一加密模块,还用于采用该新加密密码对该至少一个私钥中的每个私钥进行重新加密,得到该至少一个私钥对应的至少一个新密文;
发送模块,用于将该至少一个新密文发送至该服务器,由该服务器将该第一用户标识对应的该至少一个密文替换为该至少一个新密文。
本公开实施例提供的装置,采用加密密码对私钥进行加密,使得其他用户在不知道加密密码的前提下无法对密文解密得到私钥,并且在加密后,本公开实施例还将待存储密文进行了分片存储,使得待存储密文在被其他用户窃取之后,即使其他用户窃取得到用户的加密密码也无法还原出待存储密文,提高了用于对数据共享系统中的共享数据进行标识的身份标识信息的安全性。
图4是本公开实施例提供的一种信息存储装置的框图。参照图4,该装置包括验证模块401、生成模块402、第一获取模块403和存储模块404。
其中,验证模块401与生成模块402连接,用于当接收到终端设备发送的信息存储请求时,根据第一用户标识对用户进行身份验证,该信息存储请求携带该第一用户标识、账户地址和待存储密文;生成模块402与第一获取模块403连接,用于如果身份验证成功,则根据预设配置信息,生成服务端序列化因子;第一获取模块403与存储模块404连接,用于根据该服务端序列化因子和该待存储密文,获取该待存储密文的多个密文片段;存储模块404,用于对应该第一用户标识存储该账户地址,对应该账户地址将该多个密文片段分别存储至不同的密文数据库。
在一种可能的实现方式中,该装置还包括:
第二获取模块,用于当接收到该终端设备发送的密文获取请求时,根据目标账户地址,获取与该目标账户地址对应的多个密文片段,该密文获取请求中携带该目标账户地址;
反序列化模块,用于根据该服务端序列化因子,对该多个密文片段进行反序列化,得到与该目标账户地址对应的密文;
发送模块,用于将该密文发送至该终端设备,由该终端设备根据用户输入的第二加密密码对该密文进行解密,以得到该密文对应的私钥。
在一种可能的实现方式中,该装置还包括:
第三获取模块,用于当接收到该终端设备发送的密码修改请求时,根据该密码修改请求中携带的第二用户标识,获取与该第二用户标识对应的至少一个密文;
该发送模块还用于将该至少一个密文发送至该终端设备,由该终端设备根据用户输入的原加密密码对该至少一个密文进行解密,根据该用户输入的新加密密码对解密后的至少一个私钥进行重新加密,并返回重新加密后的至少一个新密文;
更新模块,用于根据该第二用户标识,将该第二用户标识对应的该至少一个密文更新为该至少一个新密文。
本公开实施例提供的装置,采用加密密码对私钥进行加密,使得其他用户在不知道加密密码的前提下无法对密文解密得到私钥,并且在加密后,本公开实施例还将待存储密文进行了分片存储,使得待存储密文在被其他用户窃取之后,即使其他用户窃取得到用户的加密密码也无法还原出待存储密文,提高了用于对数据共享系统中的共享数据进行标识的身份标识信息的安全性。
需要说明的是:上述实施例提供的信息存储装置在存储信息时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的信息存储装置与信息存储方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。
图5是本公开实施例提供的一种终端设备的结构示意图,该终端设备可以用于执行上述各个实施例中信息存储方法。参见图5,该终端设备500包括:
终端设备500可以包括RF(Radio Frequency,射频)电路110、包括有一个或一个以上计算机可读存储介质的存储器120、输入单元130、显示单元140、传感器150、音频电路160、WiFi(Wireless Fidelity,无线保真)模块170、包括有一个或者一个以上处理核心的处理器180、以及电源190等部件。本领域技术人员可以理解,图5中示出的终端设备结构并不构成对终端设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。其中:
RF电路110可用于收发信息或通话过程中,信号的接收和发送,特别地, 将基站的下行信息接收后,交由一个或者一个以上处理器180处理;另外,将涉及上行的数据发送给基站。通常,RF电路110包括但不限于天线、至少一个放大器、调谐器、一个或多个振荡器、用户身份模块(SIM)卡、收发信机、耦合器、LNA(Low Noise Amplifier,低噪声放大器)、双工器等。此外,RF电路110还可以通过无线通信与网络和其他设备通信。所述无线通信可以使用任一通信标准或协议,包括但不限于GSM(Global System of Mobile communication,全球移动通讯系统)、GPRS(General Packet Radio Service,通用分组无线服务)、CDMA(Code Division Multiple Access,码分多址)、WCDMA(Wideband Code Division Multiple Access,宽带码分多址)、LTE(Long Term Evolution,长期演进)、电子邮件、SMS(Short Messaging Service,短消息服务)等。
存储器120可用于存储软件程序以及模块,处理器180通过运行存储在存储器120的软件程序以及模块,从而执行各种功能应用以及数据处理。存储器120可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据终端设备500的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器120可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。相应地,存储器120还可以包括存储器控制器,以提供处理器180和输入单元130对存储器120的访问。
输入单元130可用于接收输入的数字或字符信息,以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。具体地,输入单元130可包括触敏表面131以及其他输入设备132。触敏表面131,也称为触摸显示屏或者触控板,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触敏表面131上或在触敏表面131附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触敏表面131可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器180,并能接收处理器180发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触敏表面131。除了触敏表 面131,输入单元130还可以包括其他输入设备132。具体地,其他输入设备132可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。
显示单元140可用于显示由用户输入的信息或提供给用户的信息以及终端设备500的各种图形用户接口,这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。显示单元140可包括显示面板141,可选的,可以采用LCD(Liquid Crystal Display,液晶显示器)、OLED(Organic Light-Emitting Diode,有机发光二极管)等形式来配置显示面板141。进一步的,触敏表面131可覆盖显示面板141,当触敏表面131检测到在其上或附近的触摸操作后,传送给处理器180以确定触摸事件的类型,随后处理器180根据触摸事件的类型在显示面板141上提供相应的视觉输出。虽然在图5中,触敏表面131与显示面板141是作为两个独立的部件来实现输入和输入功能,但是在某些实施例中,可以将触敏表面131与显示面板141集成而实现输入和输出功能。
终端设备500还可包括至少一种传感器150,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板141的亮度,接近传感器可在终端设备500移动到耳边时,关闭显示面板141和/或背光。作为运动传感器的一种,重力加速度传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于终端设备500还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。
音频电路160、扬声器161,传声器162可提供用户与终端设备500之间的音频接口。音频电路160可将接收到的音频数据转换后的电信号,传输到扬声器161,由扬声器161转换为声音信号输出;另一方面,传声器162将收集的声音信号转换为电信号,由音频电路160接收后转换为音频数据,再将音频数据输出处理器180处理后,经RF电路110以发送给比如另一终端设备,或者将音频数据输出至存储器120以便进一步处理。音频电路160还可能包括耳塞插孔,以提供外设耳机与终端设备500的通信。
WiFi属于短距离无线传输技术,终端设备500通过WiFi模块170可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽 带互联网访问。虽然图5示出了WiFi模块170,但是可以理解的是,其并不属于终端设备500的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。
处理器180是终端设备500的控制中心,利用各种接口和线路连接整个终端设备的各个部分,通过运行或执行存储在存储器120内的软件程序和/或模块,以及调用存储在存储器120内的数据,执行终端设备500的各种功能和处理数据,从而对终端设备进行整体监控。可选的,处理器180可包括一个或多个处理核心;可选的,处理器180可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器180中。
可选的,所述处理器180加载所述存储器120中存储的至少一条指令并执行以下操作:
获取第一加密密码和待存储的身份标识信息,所述身份标识信息包括账户地址及所述账户地址对应的私钥,所述账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;
基于所述第一加密密码,对所述私钥进行加密,得到待存储密文;
存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文。
所述处理器还可加载所述至少一条指令执行以下操作:
向服务器发送信息存储请求,所述信息存储请求携带第一用户标识、所述账户地址和所述待存储密文,由所述服务器对应所述第一用户标识和所述账户地址,分片存储所述待存储密文。
所述处理器还可加载所述至少一条指令执行以下操作:
根据本地终端设备的设备标识信息,生成客户端序列化因子;
根据所述客户端序列化因子和所述待存储密文进行分片,获取所述待存储密文的多个密文片段;
将所述多个密文片段分别存储至不同的本地密文数据库,建立所述账户地址与所述多个密文片段之间的对应关系。
所述处理器还可加载所述至少一条指令执行以下操作:
根据所述第一加密密码和第一预设加密算法对所述私钥进行加密,得到私钥密文;
根据第二预设加密算法,获取所述私钥的签名信息;
将所述私钥密文和所述私钥的签名信息作为所述待存储密文。
所述处理器还可加载所述至少一条指令执行以下操作:
当检测到信息获取操作时,获取用户输入的第二加密密码和目标账户地址;
如果所述第二加密密码与用户设定的加密密码一致,则获取与所述目标账户地址对应的密文;
根据所述第二加密密码和所述第一预设加密算法,对所述密文包括的私钥密文进行解密,得到解密信息;
根据所述第二预设加密算法,获取所述解密信息的签名信息;
如果所述解密信息的签名信息与所述密文包括的签名信息相同,则确定所述解密信息为与所述目标账户地址对应的私钥。
所述处理器还可加载所述至少一条指令执行以下操作:
根据用户的密保问题设置操作,获取至少一组密保问题和答案;
根据所述至少一组密保问题和答案,对所述第一加密密码进行加密,得到密码密文;
存储所述密码密文,以便所述用户能够根据所述至少一组密保问题和答案找回所述第一加密密码。
所述处理器还可加载所述至少一条指令执行以下操作:
当检测到加密密码的修改操作时,获取用户输入的原加密密码和新加密密码;
如果所述原加密密码与用户设定的加密密码一致,则获取采用所述原加密密码进行加密的至少一个密文;
采用所述原加密密码对所述至少一个密文中每个密文进行解密,得到所述至少一个密文对应的至少一个私钥;
采用所述新加密密码对所述至少一个私钥中的每个私钥进行重新加密,得到所述至少一个私钥对应的至少一个新密文;
将所述至少一个新密文发送至所述服务器,由所述服务器将所述第一用户标识对应的所述至少一个密文替换为所述至少一个新密文。
终端设备500还包括给各个部件供电的电源190(比如电池),优选的,电源可以通过电源管理系统与处理器180逻辑相连,从而通过电源管理系统实现 管理充电、放电、以及功耗管理等功能。电源190还可以包括一个或一个以上的直流或交流电源、再充电系统、电源故障检测电路、电源转换器或者逆变器、电源状态指示器等任意组件。
尽管未示出,终端设备500还可以包括摄像头、蓝牙模块等,在此不再赘述。具体在本实施例中,终端设备的显示单元是触摸屏显示器,终端设备还包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行。所述一个或者一个以上程序包含可执行指令,终端设备500被配置为执行指令,以执行上述信息存储方法实施例中终端设备所执行的方法。
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,例如包括指令的存储器,上述指令可由终端设备中的处理器执行以完成上述实施例中信息存储方法。例如,所述非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。
图6是本公开实施例提供的一种信息存储装置的框图。例如,装置600可以被提供为一服务器。参照图6,装置600包括处理组件622,其进一步包括一个或多个处理器,以及由存储器632所代表的存储器资源,用于存储可由处理部件622的执行的指令,例如应用程序。存储器632中存储的应用程序可以包括一个或一个以上的每一个对应于一组指令的模块。此外,处理组件622被配置为执行指令,以执行上述信息存储方法实施例中服务器所执行的方法。
装置600还可以包括一个电源组件626被配置为执行装置600的电源管理,一个有线或无线网络接口650被配置为将装置600连接到网络,和一个输入输出(I/O)接口658。装置600可以操作基于存储在存储器632的操作系统,例如Windows Server
TM,Mac OS X
TM,Unix
TM,Linux
TM,FreeBSD
TM或类似。
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,所述存储介质中存储有至少一条指令,例如包括指令的存储器,上述至少一条指令可由服务器中的处理器执行以完成上述实施例中应用于服务器的信息存储方法;上述至少一条指令也可由终端设备中的处理器执行以完成上述实施例中应用于终端设备的信息存储方法。例如,所述非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。
以上所述仅为本公开的可选实施例,并不用以限制本公开,凡在本公开的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本公开的保护范围之内。
Claims (22)
- 一种信息存储方法,其特征在于,应用于终端设备,所述方法包括:获取第一加密密码和待存储的身份标识信息,所述身份标识信息包括账户地址及所述账户地址对应的私钥,所述账户地址是在数据共享系统中生成存储于区块的共享数据时所采用;基于所述第一加密密码,对所述私钥进行加密,得到待存储密文;存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文。
- 根据权利要求1所述的方法,其特征在于,所述存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文包括:向服务器发送信息存储请求,所述信息存储请求携带第一用户标识、所述账户地址和所述待存储密文,由所述服务器对应所述第一用户标识和所述账户地址,分片存储所述待存储密文。
- 根据权利要求1所述的方法,其特征在于,所述存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文包括:根据本地终端设备的设备标识信息,生成客户端序列化因子;根据所述客户端序列化因子和所述待存储密文进行分片,获取所述待存储密文的多个密文片段;将所述多个密文片段分别存储至不同的本地密文数据库,建立所述账户地址与所述多个密文片段之间的对应关系。
- 根据权利要求1所述的方法,其特征在于,所述基于所述第一加密密码,对所述私钥进行加密,得到待存储密文包括:根据所述第一加密密码和第一预设加密算法对所述私钥进行加密,得到私钥密文;根据第二预设加密算法,获取所述私钥的签名信息;将所述私钥密文和所述私钥的签名信息作为所述待存储密文。
- 根据权利要求4所述的方法,其特征在于,所述方法还包括:当检测到信息获取操作时,获取用户输入的第二加密密码和目标账户地址;如果所述第二加密密码与用户设定的加密密码一致,则获取与所述目标账户地址对应的密文;根据所述第二加密密码和所述第一预设加密算法,对所述密文包括的私钥密文进行解密,得到解密信息;根据所述第二预设加密算法,获取所述解密信息的签名信息;如果所述解密信息的签名信息与所述密文包括的签名信息相同,则确定所述解密信息为与所述目标账户地址对应的私钥。
- 根据权利要求1所述的方法,其特征在于,所述获取第一加密密码和待存储的身份标识信息之前,所述方法还包括:根据用户的密保问题设置操作,获取至少一组密保问题和答案;根据所述至少一组密保问题和答案,对所述第一加密密码进行加密,得到密码密文;存储所述密码密文,以便所述用户能够根据所述至少一组密保问题和答案找回所述第一加密密码。
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:当检测到加密密码的修改操作时,获取用户输入的原加密密码和新加密密码;如果所述原加密密码与用户设定的加密密码一致,则获取采用所述原加密密码进行加密的至少一个密文;采用所述原加密密码对所述至少一个密文中每个密文进行解密,得到所述至少一个密文对应的至少一个私钥;采用所述新加密密码对所述至少一个私钥中的每个私钥进行重新加密,得到所述至少一个私钥对应的至少一个新密文;将所述至少一个新密文发送至所述服务器,由所述服务器将所述第一用户标识对应的所述至少一个密文替换为所述至少一个新密文。
- 一种信息存储方法,其特征在于,应用于服务器,所述方法包括:当接收到终端设备发送的信息存储请求时,根据第一用户标识对用户进行身份验证,所述信息存储请求携带所述第一用户标识、账户地址和待存储密文;如果身份验证成功,则根据预设配置信息,生成服务端序列化因子;根据所述服务端序列化因子和所述待存储密文,获取所述待存储密文的多个密文片段;对应所述第一用户标识存储所述账户地址,对应所述账户地址将所述多个密文片段分别存储至不同的密文数据库。
- 根据权利要求8所述的方法,其特征在于,所述方法还包括:当接收到所述终端设备发送的密文获取请求时,根据目标账户地址,获取与所述目标账户地址对应的至少两个密文片段,所述密文获取请求中携带所述目标账户地址;根据所述服务端序列化因子,对所述至少两个密文片段进行反序列化,得到与所述目标账户地址对应的密文;将所述密文发送至所述终端设备,由所述终端设备根据用户输入的第二加密密码对所述密文进行解密,以得到所述密文对应的私钥。
- 根据权利要求8所述的方法,其特征在于,所述方法还包括:当接收到所述终端设备发送的密码修改请求时,根据所述密码修改请求中携带的第二用户标识,获取与所述第二用户标识对应的至少一个密文;将所述至少一个密文发送至所述终端设备,由所述终端设备根据用户输入的原加密密码对所述至少一个密文进行解密,根据所述用户输入的新加密密码对解密后的至少一个私钥进行重新加密,并返回重新加密后的至少一个新密文;根据所述第二用户标识,将所述第二用户标识对应的所述至少一个密文更新为所述至少一个新密文。
- 一种信息存储装置,其特征在于,包括:一个或多个处理器、存储器,所述存储器用于存储至少一条指令,所述至少一条指令由所述处理器加载并执行以下操作:获取第一加密密码和待存储的身份标识信息,所述身份标识信息包括账户地址及所述账户地址对应的私钥,所述账户地址是在数据共享系统中生成存储 于区块的共享数据时所采用;基于所述第一加密密码,对所述私钥进行加密,得到待存储密文;存储所述账户地址,并对应于所述账户地址,分片存储所述待存储密文。
- 根据权利要求11所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:向服务器发送信息存储请求,所述信息存储请求携带第一用户标识、所述账户地址和所述待存储密文,由所述服务器对应所述第一用户标识和所述账户地址,分片存储所述待存储密文。
- 根据权利要求11所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:根据本地终端设备的设备标识信息,生成客户端序列化因子;根据所述客户端序列化因子和所述待存储密文进行分片,获取所述待存储密文的多个密文片段;将所述多个密文片段分别存储至不同的本地密文数据库,建立所述账户地址与所述多个密文片段之间的对应关系。
- 根据权利要求11所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:根据所述第一加密密码和第一预设加密算法对所述私钥进行加密,得到私钥密文;根据第二预设加密算法,获取所述私钥的签名信息;将所述私钥密文和所述私钥的签名信息作为所述待存储密文。
- 根据权利要求14所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:当检测到信息获取操作时,获取用户输入的第二加密密码和目标账户地址;如果所述第二加密密码与用户设定的加密密码一致,则获取与所述目标账户地址对应的密文;根据所述第二加密密码和所述第一预设加密算法,对所述密文包括的私钥 密文进行解密,得到解密信息;根据所述第二预设加密算法,获取所述解密信息的签名信息;如果所述解密信息的签名信息与所述密文包括的签名信息相同,则确定所述解密信息为与所述目标账户地址对应的私钥。
- 根据权利要求11所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:根据用户的密保问题设置操作,获取至少一组密保问题和答案;根据所述至少一组密保问题和答案,对所述第一加密密码进行加密,得到密码密文;存储所述密码密文,以便所述用户能够根据所述至少一组密保问题和答案找回所述第一加密密码。
- 根据权利要求12所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:当检测到加密密码的修改操作时,获取用户输入的原加密密码和新加密密码;如果所述原加密密码与用户设定的加密密码一致,则获取采用所述原加密密码进行加密的至少一个密文;采用所述原加密密码对所述至少一个密文中每个密文进行解密,得到所述至少一个密文对应的至少一个私钥;采用所述新加密密码对所述至少一个私钥中的每个私钥进行重新加密,得到所述至少一个私钥对应的至少一个新密文;将所述至少一个新密文发送至所述服务器,由所述服务器将所述第一用户标识对应的所述至少一个密文替换为所述至少一个新密文。
- 一种信息存储装置,其特征在于,包括:一个或多个处理器、存储器,所述存储器用于存储至少一条指令,所述至少一条指令由所述处理器加载并执行以下操作:当接收到终端设备发送的信息存储请求时,根据第一用户标识对用户进行身份验证,所述信息存储请求携带所述第一用户标识、账户地址和待存储密文;如果身份验证成功,则根据预设配置信息,生成服务端序列化因子;根据所述服务端序列化因子和所述待存储密文,获取所述待存储密文的多个密文片段;对应所述第一用户标识存储所述账户地址,对应所述账户地址将所述多个密文片段分别存储至不同的密文数据库。
- 根据权利要求18所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:当接收到所述终端设备发送的密文获取请求时,根据目标账户地址,获取与所述目标账户地址对应的至少两个密文片段,所述密文获取请求中携带所述目标账户地址;根据所述服务端序列化因子,对所述至少两个密文片段进行反序列化,得到与所述目标账户地址对应的密文;将所述密文发送至所述终端设备,由所述终端设备根据用户输入的第二加密密码对所述密文进行解密,以得到所述密文对应的私钥。
- 根据权利要求18所述的装置,其特征在于,所述处理器加载所述至少一条指令执行以下操作:当接收到所述终端设备发送的密码修改请求时,根据所述密码修改请求中携带的第二用户标识,获取与所述第二用户标识对应的至少一个密文;将所述至少一个密文发送至所述终端设备,由所述终端设备根据用户输入的原加密密码对所述至少一个密文进行解密,根据所述用户输入的新加密密码对解密后的至少一个私钥进行重新加密,并返回重新加密后的至少一个新密文;根据所述第二用户标识,将所述第二用户标识对应的所述至少一个密文更新为所述至少一个新密文。
- 一种存储介质,其特征在于,所述存储介质中存储有至少一条指令,所述至少一条指令由处理器加载并执行以实现如权利要求1至7任一项所述的信息存储方法。
- 一种存储介质,其特征在于,所述存储介质中存储有至少一条指令, 所述至少一条指令由处理器加载并执行以实现如权利要求8至10任一项所述的信息存储方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18760687.6A EP3591930B1 (en) | 2017-03-03 | 2018-03-02 | Information storage method, device, and computer-readable storage medium |
US16/355,435 US11456864B2 (en) | 2017-03-03 | 2019-03-15 | Information storage method, device, and computer-readable storage medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710124884.5A CN106686008B (zh) | 2017-03-03 | 2017-03-03 | 信息存储方法及装置 |
CN201710124884.5 | 2017-03-03 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/355,435 Continuation US11456864B2 (en) | 2017-03-03 | 2019-03-15 | Information storage method, device, and computer-readable storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018157858A1 true WO2018157858A1 (zh) | 2018-09-07 |
Family
ID=58862539
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/077880 WO2018157858A1 (zh) | 2017-03-03 | 2018-03-02 | 信息存储方法、装置及计算机可读存储介质 |
Country Status (4)
Country | Link |
---|---|
US (1) | US11456864B2 (zh) |
EP (1) | EP3591930B1 (zh) |
CN (1) | CN106686008B (zh) |
WO (1) | WO2018157858A1 (zh) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111476572A (zh) * | 2020-04-09 | 2020-07-31 | 财付通支付科技有限公司 | 基于区块链的数据处理方法、装置、存储介质及设备 |
CN112491904A (zh) * | 2020-12-01 | 2021-03-12 | 德州职业技术学院(德州市技师学院) | 一种大数据隐私保护共享方法和系统 |
CN113078998A (zh) * | 2021-04-08 | 2021-07-06 | 太原理工大学 | 一种提供地址信息的区块链存证验证方法 |
CN113609366A (zh) * | 2021-08-04 | 2021-11-05 | 深圳市元征科技股份有限公司 | 数据获取方法、装置、终端设备及可读存储介质 |
CN114244856A (zh) * | 2020-09-09 | 2022-03-25 | 中国联合网络通信集团有限公司 | 基于区块链的网络存储方法、装置、系统及运营商平台 |
CN114428815A (zh) * | 2022-01-17 | 2022-05-03 | 多点生活(成都)科技有限公司 | 数据存储方法、装置、电子设备和计算机可读介质 |
Families Citing this family (66)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106686008B (zh) * | 2017-03-03 | 2019-01-11 | 腾讯科技(深圳)有限公司 | 信息存储方法及装置 |
CN107426170B (zh) | 2017-05-24 | 2019-08-09 | 阿里巴巴集团控股有限公司 | 一种基于区块链的数据处理方法及设备 |
CN107181599B (zh) * | 2017-07-18 | 2020-01-21 | 天津理工大学 | 基于区块链的路由位置数据保密存储及共享方法 |
CN107451275B (zh) * | 2017-08-04 | 2019-08-16 | 北京明朝万达科技股份有限公司 | 基于区块链的业务数据处理方法、装置、系统和存储设备 |
CN107256593B (zh) * | 2017-08-17 | 2020-07-03 | 深圳市智行能源技术有限公司 | 一种智能充电桩计费方法 |
CN111600710B (zh) * | 2017-10-27 | 2023-01-13 | 财付通支付科技有限公司 | 密钥存储方法、装置、终端、服务器及可读介质 |
CN111264045B (zh) * | 2017-11-10 | 2023-06-30 | 华为国际有限公司 | 基于异构身份的交互系统及方法 |
CN109784084B (zh) * | 2017-11-14 | 2022-03-22 | 中国电信股份有限公司 | 数据交易方法、装置和系统 |
CN109981551A (zh) * | 2017-12-28 | 2019-07-05 | 航天信息股份有限公司 | 一种基于区块链的数据传输系统、方法及相关设备 |
CN108599952B (zh) * | 2017-12-29 | 2019-01-08 | 重庆小犀智能科技有限公司 | 一种基于区块链的通信方法 |
CN108509810A (zh) * | 2018-03-19 | 2018-09-07 | 宋钰 | 数据处理方法及系统 |
CN108667717B (zh) * | 2018-04-20 | 2021-06-08 | 网易(杭州)网络有限公司 | 基于即时通信消息记录的区块链处理方法、介质、装置和计算设备 |
CN108900869B (zh) * | 2018-05-04 | 2021-02-02 | 烽火通信科技股份有限公司 | 一种通信组信息加解密方法及系统 |
WO2019213869A1 (zh) * | 2018-05-09 | 2019-11-14 | 合肥达朴汇联科技有限公司 | 一种用于区块链节点的方法及装置 |
CN108632284B (zh) | 2018-05-10 | 2021-02-23 | 网易(杭州)网络有限公司 | 基于区块链的用户数据授权方法、介质、装置和计算设备 |
JP2019211821A (ja) * | 2018-05-31 | 2019-12-12 | ソニー株式会社 | 情報処理装置、情報処理方法、およびプログラム |
CN108846290A (zh) * | 2018-07-06 | 2018-11-20 | 佛山市灏金赢科技有限公司 | 一种密码生成方法及装置 |
CN108964903B (zh) * | 2018-07-12 | 2021-12-14 | 腾讯科技(深圳)有限公司 | 密码存储方法及装置 |
CN110958285B (zh) * | 2018-09-27 | 2023-03-31 | 安徽华峪文化科技有限公司 | 一种基于区块链的数据存储系统 |
CN110958211B (zh) * | 2018-09-27 | 2022-05-27 | 安徽华峪文化科技有限公司 | 一种基于区块链的数据处理系统及方法 |
CN109272317A (zh) * | 2018-09-27 | 2019-01-25 | 北京金山安全软件有限公司 | 一种区块链私钥的获取方法、装置及电子设备 |
CN109492424B (zh) * | 2018-09-29 | 2023-05-26 | 平安科技(深圳)有限公司 | 数据资产管理方法、数据资产管理装置及计算机可读介质 |
CN109587276A (zh) * | 2019-01-11 | 2019-04-05 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | 一种数据备份方法、系统及相关组件 |
CN109871698B (zh) * | 2019-01-14 | 2021-10-26 | 深圳市奥特尔软件技术有限公司 | 数据处理方法、装置、计算机设备和存储介质 |
CN109951295B (zh) * | 2019-02-27 | 2021-12-24 | 百度在线网络技术(北京)有限公司 | 密钥处理和使用方法、装置、设备及介质 |
CN109976948B (zh) * | 2019-03-18 | 2021-04-30 | 北京思源理想控股集团有限公司 | 一种私密信息备份方法及恢复方法和系统 |
CN110209727B (zh) * | 2019-04-04 | 2020-08-11 | 特斯联(北京)科技有限公司 | 一种数据存储方法、终端设备及介质 |
CN110166222B (zh) * | 2019-04-15 | 2024-05-28 | 平安科技(深圳)有限公司 | 多设备同时认证方法、装置、计算机设备及存储介质 |
CN110110550B (zh) * | 2019-04-19 | 2023-05-09 | 深圳华中科技大学研究院 | 一种支持云存储的可搜索加密方法及系统 |
CN110266872B (zh) * | 2019-05-30 | 2021-05-11 | 世纪龙信息网络有限责任公司 | 通讯录数据的管控方法、装置及云通讯录系统、计算机设备、计算机可读存储介质 |
CN110648139B (zh) * | 2019-09-03 | 2022-04-12 | 北京航空航天大学 | 基于分片技术和博弈论的区块链事务验证扩容方法及装置 |
US11132403B2 (en) | 2019-09-06 | 2021-09-28 | Digital Asset Capital, Inc. | Graph-manipulation based domain-specific execution environment |
US10831452B1 (en) | 2019-09-06 | 2020-11-10 | Digital Asset Capital, Inc. | Modification of in-execution smart contract programs |
CN110851881B (zh) * | 2019-10-31 | 2023-07-04 | 成都欧珀通信科技有限公司 | 终端设备的安全检测方法及装置、电子设备及存储介质 |
CN111104386B (zh) * | 2019-11-04 | 2023-09-01 | 京东科技信息技术有限公司 | 一种文件存储方法、终端及存储介质 |
CN110912974A (zh) * | 2019-11-11 | 2020-03-24 | 深圳市亦区科技有限公司 | 资源处理方法、装置、电子设备及计算机可读取存储介质 |
US11025598B1 (en) * | 2020-02-08 | 2021-06-01 | Mockingbird Ventures, LLC | Method and apparatus for managing encryption keys and encrypted electronic information on a network server |
CN111291398B (zh) * | 2020-03-04 | 2022-09-20 | 恒安嘉新(北京)科技股份公司 | 基于区块链的认证方法、装置、计算机设备及存储介质 |
CN111314644A (zh) * | 2020-03-16 | 2020-06-19 | 郭磊 | 一种基于模拟视频压缩器的视频压缩方法及系统 |
US11599551B2 (en) | 2020-03-30 | 2023-03-07 | Oracle International Corporation | Deserialization of stream objects using multiple deserialization algorithms |
US11477258B2 (en) * | 2020-03-30 | 2022-10-18 | Oracle International Corporation | Serialization of objects using multiple serialization algorithms |
CN111682943A (zh) * | 2020-05-20 | 2020-09-18 | 厦门区块链云科技有限公司 | 一种基于区块链的分布式数字身份系统 |
CN111988325B (zh) * | 2020-08-25 | 2022-11-11 | 中国南方电网有限责任公司 | 交易信息处理系统、方法、装置、计算机设备和存储介质 |
CN114257605A (zh) * | 2020-09-24 | 2022-03-29 | 航天信息股份有限公司 | 一种数据共享系统、方法、装置、介质和设备 |
CN112261015B (zh) * | 2020-10-12 | 2023-05-12 | 北京沃东天骏信息技术有限公司 | 基于区块链的信息共享方法、平台、系统以及电子设备 |
CN112600874B (zh) * | 2020-11-24 | 2023-03-31 | 成都质数斯达克科技有限公司 | 节点加入方法、装置、电子设备及可读存储介质 |
CN112600833A (zh) * | 2020-12-09 | 2021-04-02 | 上海文广科技(集团)有限公司 | 点播影院dcp播放设备私钥的云端分布存储系统及方法 |
CN112583674A (zh) * | 2020-12-16 | 2021-03-30 | 珠海格力电器股份有限公司 | 一种数据处理方法、装置、电子设备及存储介质 |
CN112612976A (zh) * | 2020-12-18 | 2021-04-06 | 深圳前海微众银行股份有限公司 | 数据处理方法、装置、设备及存储介质 |
CN112711648B (zh) * | 2020-12-23 | 2024-07-02 | 航天信息股份有限公司 | 一种数据库字符串密文存储方法、电子设备和介质 |
CN112651824A (zh) * | 2020-12-24 | 2021-04-13 | 平安信托有限责任公司 | 非银账户开户处理方法、装置、计算机设备及存储介质 |
CN112866995B (zh) * | 2020-12-28 | 2023-06-30 | 深圳酷派技术有限公司 | 连接方法、装置、电子设备及存储介质 |
CN112733130B (zh) * | 2021-01-18 | 2022-11-29 | 成都质数斯达克科技有限公司 | 账户注册方法、装置、电子设备及可读存储介质 |
CN112817972B (zh) * | 2021-01-22 | 2024-08-20 | 中信百信银行股份有限公司 | 数据存储方法、数据查询方法、装置及电子设备 |
US11256480B1 (en) | 2021-02-09 | 2022-02-22 | Oracle International Corporation | Deserialization of stream objects using constant-foldable method handles |
US11288045B1 (en) | 2021-02-09 | 2022-03-29 | Oracle International Corporation | Object creation from structured data using indirect constructor invocation |
CN112927080A (zh) * | 2021-03-05 | 2021-06-08 | 广东电网有限责任公司 | 基于区块链技术的电力行业多方信息共享方法 |
CN113032802B (zh) * | 2021-03-09 | 2023-09-19 | 航天信息股份有限公司 | 一种数据安全存储方法及系统 |
CN113177216B (zh) * | 2021-04-30 | 2023-03-14 | 北京市商汤科技开发有限公司 | 一种数据传输方法、装置、计算机设备和存储介质 |
CN114117406A (zh) * | 2021-09-30 | 2022-03-01 | 深圳前海微众银行股份有限公司 | 一种数据处理方法、装置、设备及存储介质 |
CN114239000A (zh) * | 2021-11-11 | 2022-03-25 | 中国南方电网有限责任公司 | 密码处理方法、装置、计算机设备和存储介质 |
JP2023114841A (ja) * | 2022-02-07 | 2023-08-18 | キオクシア株式会社 | 情報記録装置および情報記録システム |
CN114844644A (zh) * | 2022-03-16 | 2022-08-02 | 深信服科技股份有限公司 | 资源请求方法、装置、电子设备及存储介质 |
CN115426179B (zh) * | 2022-09-01 | 2024-05-03 | 中国联合网络通信集团有限公司 | 信息找回方法、装置和电子设备 |
CN115499121A (zh) * | 2022-09-15 | 2022-12-20 | 中国银行股份有限公司 | 基于5g的密码保存方法及装置 |
EP4345649A1 (en) * | 2022-09-29 | 2024-04-03 | Siemens Aktiengesellschaft | Computer-implemented method and system for processing a service with sovereign data |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016154001A1 (en) * | 2015-03-20 | 2016-09-29 | Rivetz Corp. | Automated attestation of device integrity using the block chain |
KR101673073B1 (ko) * | 2015-02-25 | 2016-11-04 | 이진희 | 블록체인 구조를 사용하는 암호화화폐 거래방법 |
CN106230808A (zh) * | 2016-07-28 | 2016-12-14 | 杭州云象网络技术有限公司 | 一种基于区块链技术的个人征信系统建设方法 |
CN106250721A (zh) * | 2016-07-28 | 2016-12-21 | 杭州云象网络技术有限公司 | 一种基于区块链的电子版权保护方法 |
CN106357640A (zh) * | 2016-09-18 | 2017-01-25 | 江苏通付盾科技有限公司 | 基于区块链网络的身份认证方法、系统及服务器 |
CN106686008A (zh) * | 2017-03-03 | 2017-05-17 | 腾讯科技(深圳)有限公司 | 信息存储方法及装置 |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5778395A (en) * | 1995-10-23 | 1998-07-07 | Stac, Inc. | System for backing up files from disk volumes on multiple nodes of a computer network |
CN1285235C (zh) * | 2003-10-31 | 2006-11-15 | 大唐微电子技术有限公司 | 应用国际移动设备识别码实现手机防盗的方法及其系统 |
US20060059363A1 (en) * | 2004-09-16 | 2006-03-16 | Mese John C | Method for controlling access to a computerized device |
US20070255947A1 (en) * | 2005-02-09 | 2007-11-01 | Choudhury Abhijit K | Methods and systems for incremental crypto processing of fragmented packets |
US8483385B2 (en) * | 2008-06-23 | 2013-07-09 | King Saud University | Natural language dependent stream ciphers |
EP2507708B1 (en) * | 2009-12-04 | 2019-03-27 | Cryptography Research, Inc. | Verifiable, leak-resistant encryption and decryption |
DE102011077513A1 (de) * | 2010-06-14 | 2012-08-23 | Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. | Verfahren zur sicheren Verarbeitung von Daten |
US8769269B2 (en) * | 2010-08-12 | 2014-07-01 | International Business Machines Corporation | Cloud data management |
US8971539B2 (en) * | 2010-12-30 | 2015-03-03 | Verisign, Inc. | Management of SSL certificate escrow |
CN103795696A (zh) * | 2012-10-31 | 2014-05-14 | 英业达科技有限公司 | 数据存取的方法及云端服务器系统 |
CN103107989A (zh) * | 2012-11-20 | 2013-05-15 | 高剑青 | 基于多哈希值的密码系统 |
US9825932B2 (en) * | 2013-01-09 | 2017-11-21 | Qatar Foundation | Storage system and method of storing and managing data |
US10043017B2 (en) * | 2013-04-15 | 2018-08-07 | Paul Lewis | Systems and methods for jurisdiction independent data storage in a multi-vendor cloud environment |
US10269009B1 (en) * | 2013-06-28 | 2019-04-23 | Winklevoss Ip, Llc | Systems, methods, and program products for a digital math-based asset exchange |
CN103532700A (zh) * | 2013-09-25 | 2014-01-22 | 国家电网公司 | 用电信息采集系统通信报文加解密模型 |
CN103595793B (zh) * | 2013-11-13 | 2017-01-25 | 华中科技大学 | 一种无需可信第三方支持的云端数据安全删除系统与方法 |
CN103825906B (zh) * | 2014-03-14 | 2017-02-15 | 网宿科技股份有限公司 | 基于内容分发网络的企业私钥自加密自部署方法 |
CN105827411A (zh) * | 2016-03-11 | 2016-08-03 | 联想(北京)有限公司 | 一种信息处理的方法及装置 |
US20170359318A1 (en) * | 2016-06-12 | 2017-12-14 | Apple Inc. | Diversification of Public Keys |
-
2017
- 2017-03-03 CN CN201710124884.5A patent/CN106686008B/zh active Active
-
2018
- 2018-03-02 WO PCT/CN2018/077880 patent/WO2018157858A1/zh active Application Filing
- 2018-03-02 EP EP18760687.6A patent/EP3591930B1/en active Active
-
2019
- 2019-03-15 US US16/355,435 patent/US11456864B2/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101673073B1 (ko) * | 2015-02-25 | 2016-11-04 | 이진희 | 블록체인 구조를 사용하는 암호화화폐 거래방법 |
WO2016154001A1 (en) * | 2015-03-20 | 2016-09-29 | Rivetz Corp. | Automated attestation of device integrity using the block chain |
CN106230808A (zh) * | 2016-07-28 | 2016-12-14 | 杭州云象网络技术有限公司 | 一种基于区块链技术的个人征信系统建设方法 |
CN106250721A (zh) * | 2016-07-28 | 2016-12-21 | 杭州云象网络技术有限公司 | 一种基于区块链的电子版权保护方法 |
CN106357640A (zh) * | 2016-09-18 | 2017-01-25 | 江苏通付盾科技有限公司 | 基于区块链网络的身份认证方法、系统及服务器 |
CN106686008A (zh) * | 2017-03-03 | 2017-05-17 | 腾讯科技(深圳)有限公司 | 信息存储方法及装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3591930A4 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111476572A (zh) * | 2020-04-09 | 2020-07-31 | 财付通支付科技有限公司 | 基于区块链的数据处理方法、装置、存储介质及设备 |
CN111476572B (zh) * | 2020-04-09 | 2024-03-19 | 财付通支付科技有限公司 | 基于区块链的数据处理方法、装置、存储介质及设备 |
CN114244856A (zh) * | 2020-09-09 | 2022-03-25 | 中国联合网络通信集团有限公司 | 基于区块链的网络存储方法、装置、系统及运营商平台 |
CN114244856B (zh) * | 2020-09-09 | 2024-05-10 | 中国联合网络通信集团有限公司 | 基于区块链的网络存储方法、装置、系统及运营商平台 |
CN112491904A (zh) * | 2020-12-01 | 2021-03-12 | 德州职业技术学院(德州市技师学院) | 一种大数据隐私保护共享方法和系统 |
CN112491904B (zh) * | 2020-12-01 | 2022-05-20 | 德州职业技术学院(德州市技师学院) | 一种大数据隐私保护共享方法和系统 |
CN113078998A (zh) * | 2021-04-08 | 2021-07-06 | 太原理工大学 | 一种提供地址信息的区块链存证验证方法 |
CN113609366A (zh) * | 2021-08-04 | 2021-11-05 | 深圳市元征科技股份有限公司 | 数据获取方法、装置、终端设备及可读存储介质 |
CN114428815A (zh) * | 2022-01-17 | 2022-05-03 | 多点生活(成都)科技有限公司 | 数据存储方法、装置、电子设备和计算机可读介质 |
Also Published As
Publication number | Publication date |
---|---|
CN106686008A (zh) | 2017-05-17 |
US11456864B2 (en) | 2022-09-27 |
EP3591930B1 (en) | 2021-12-22 |
EP3591930A4 (en) | 2020-01-22 |
CN106686008B (zh) | 2019-01-11 |
US20190215157A1 (en) | 2019-07-11 |
EP3591930A1 (en) | 2020-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018157858A1 (zh) | 信息存储方法、装置及计算机可读存储介质 | |
CN112733107B (zh) | 一种信息验证的方法、相关装置、设备以及存储介质 | |
TWI713855B (zh) | 憑證管理方法及系統 | |
CN109600223B (zh) | 验证方法、激活方法、装置、设备及存储介质 | |
CN111193695B (zh) | 一种第三方账号登录的加密方法、装置及存储介质 | |
TWI672648B (zh) | 業務處理方法、裝置、資料共享系統及儲存介質 | |
CN112596802B (zh) | 一种信息处理方法及装置 | |
US20240305476A1 (en) | Systems and methods for providing authentication to a plurality of devices | |
WO2018133686A1 (zh) | 一种密码保护方法、装置及存储介质 | |
CN107979461B (zh) | 秘钥找回方法、装置、终端、秘钥托管服务器及可读介质 | |
WO2017041599A1 (zh) | 业务处理方法及电子设备 | |
CN111818100B (zh) | 一种跨网配置通道的方法、相关设备及存储介质 | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
US20210194877A1 (en) | Data processing method, system, and apparatus, storage medium, and device | |
WO2021036292A1 (zh) | 身份鉴别方法及装置 | |
CN106845177A (zh) | 密码管理方法及系统 | |
CN115001841A (zh) | 一种身份认证方法、装置及存储介质 | |
WO2018108123A1 (zh) | 身份验证方法、装置与系统 | |
US11722303B2 (en) | Secure enclave implementation of proxied cryptographic keys | |
WO2018108062A1 (zh) | 身份验证方法、装置及存储介质 | |
US11418329B1 (en) | Shared secret implementation of proxied cryptographic keys | |
WO2017067369A1 (zh) | 一种加密图片、解密图片的方法、装置和设备 | |
CN113037741A (zh) | 一种鉴权方法和相关装置 | |
CN108737341B (zh) | 业务处理方法、终端及服务器 | |
CN114389825B (zh) | 一种基于区块链的数据通信方法和相关装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18760687 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2018760687 Country of ref document: EP |